CN112615854A - Terminal access control method, device, access server and storage medium - Google Patents

Terminal access control method, device, access server and storage medium Download PDF

Info

Publication number
CN112615854A
CN112615854A CN202011491025.8A CN202011491025A CN112615854A CN 112615854 A CN112615854 A CN 112615854A CN 202011491025 A CN202011491025 A CN 202011491025A CN 112615854 A CN112615854 A CN 112615854A
Authority
CN
China
Prior art keywords
message flow
message
access terminal
terminal
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011491025.8A
Other languages
Chinese (zh)
Other versions
CN112615854B (en
Inventor
何雪岩
张红学
郭磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202011491025.8A priority Critical patent/CN112615854B/en
Publication of CN112615854A publication Critical patent/CN112615854A/en
Application granted granted Critical
Publication of CN112615854B publication Critical patent/CN112615854B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a terminal access control method, a device, an access server and a storage medium. The terminal admission control method comprises the following steps: receiving message flow sent by an access terminal; when the target IP address of the message flow is different from the IP address of the local machine, judging whether a session exists with the access terminal according to the quintuple of the message flow; when the session does not exist, judging whether the message flow is a TCP message; when the message flow is a TCP message, judging whether the message flow is a TCP SYN message; when the message flow is a TCPSYN message, judging whether an MAC address in the message flow is online or not; when the MAC address in the message flow is on-line, judging whether the abstract value of the message flow is correct, if so, establishing a session with the access terminal and reinjecting a data packet to complete the access of the access terminal. The method and the device have the advantages of achieving terminal access control, and having at least a better application range and better anti-counterfeiting performance.

Description

Terminal access control method, device, access server and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for controlling terminal admission, an admission server, and a storage medium.
Background
At present, after data transmission of a terminal after NAT passes through NAT equipment, the NAT equipment is forged by a source MAC and a source IP address of a changed data message and the terminal, and an access server cannot normally perceive real IP and MAC information of the terminal after NAT, so that only one terminal passes through authentication after passing through the NAT equipment, and the terminal after NAT can access network resources without authentication.
In order to solve the technical problem, in the existing solution, if an admission control server deployed on an exchanger of a convergence layer or a user access layer in a bypass mode monitors that any terminal in a Network Address Translation (NAT) environment establishes communication connection with the exchanger, a network data packet sent to the exchanger by the terminal is acquired and protocol analysis is performed to judge whether the network data packet is an NAT stream data packet; if the NAT stream data packet is the NAT stream data packet, judging whether the network data packet contains a watermark which is added by the terminal and is used for uniquely identifying the terminal; if the network data packet contains the watermark, judging whether the connection is legal or not by carrying out connection tracking on the connection based on the watermark; if the terminal is legal, the terminal is allowed to access the terminal.
However, the existing solutions have the following drawbacks: 1. the admission control server needs to compare heartbeat data sent by the terminal with a preset white list to determine whether the terminal is in an NAT environment, and the terminal under the NAT marks the message for further judgment, so that the NAT terminal cannot be automatically found; 2. watermarking is carried out on a network layer, namely option is added in an IP header, so that the option can be filtered by security equipment or network equipment and is not safe and stable; 3. the watermark is simple and easy to forge.
Disclosure of Invention
The present application aims to provide a terminal admission control method, apparatus, device and storage medium in an NAT environment, where the terminal admission control method, apparatus, device and storage medium can at least implement admission control on a terminal without determining whether a terminal is in the NAT environment, and thus the terminal admission control method, apparatus, device and storage medium have a better application range.
To this end, a first aspect of the present application discloses a terminal admission control method, which is applied in an admission server, and the method includes:
receiving message flow sent by an access terminal;
when the target IP address of the message flow is different from the IP address of the local machine, judging whether a session exists with the access terminal according to the quintuple of the message flow;
when the session does not exist, judging whether the message flow is a TCP message;
when the message flow is the TCP message, judging whether the message flow is a TCPSYN message;
when the message flow is the TCPSYN message, judging whether an MAC address in the message flow is online or not;
and when the MAC address in the message flow is online, judging whether the abstract value of the message flow is correct, if so, establishing a session with the access terminal and reinjecting a data packet to complete the access of the access terminal.
When the target IP address of the message flow is different from the IP address of the local machine, the method can judge whether a session exists with the access terminal according to the quintuple of the message flow, further judge whether the message flow is a TCP message when the session does not exist, further judge whether the message flow is a TCP message when the message flow is the TCP message, further judge whether the message flow is the TCPSYN message when the message flow is the TCPSYN message, further judge whether the MAC address in the message flow is online, further judge whether the abstract value of the message flow is correct when the MAC address in the message flow is online, if the abstract value of the message flow is correct, establish the session with the access terminal and reinject a data packet, and finally realize the access control of the access terminal. On the other hand, the method and the device can avoid the influence of the additional watermark adding on the network.
In the first aspect of the present application, as an optional implementation, the method further includes:
and when the target IP address of the message flow is the same as the IP address of the local machine, responding to the message flow.
In this optional embodiment, if the destination IP address of the message traffic is the same as the local IP address, the message traffic is responded.
In the first aspect of the present application, as an optional implementation method, the method further includes:
and when judging that the conversation exists with the access terminal according to the quintuple of the message flow, reinjecting the data packet to the access terminal.
In this optional embodiment, if there is a session with the access terminal, a data packet is reinjected to the access terminal.
In the first aspect of the present application, as an optional implementation method, the method further includes:
and when the message flow is not a TCP SYN message, judging whether a source IP in the message flow is online, if so, establishing a session with the accessed terminal and reinjecting a data packet.
In this optional embodiment, when the message traffic is not a TCP SYN message, whether to establish a session with the accessed terminal and to reinject a packet may be determined according to the source IP presence status in the message traffic.
In the first aspect of the present application, as an optional implementation manner, the determining whether the digest value of the packet traffic is correct includes:
calculating to obtain a digest verification value according to the IP header identifier in the message flow, the hard disk serial number of the access terminal, the main board serial number of the access terminal and an MD5 algorithm;
and comparing the abstract verification value with the abstract value of the message flow, and if the abstract value of the message flow is the same as the abstract verification value, determining that the abstract value of the message flow is correct.
In this optional embodiment, since the IP header identifier in each packet flow of the access terminal is different, and the hard disk serial number of the access terminal and the main board serial number of the access terminal are difficult to be forged, the digest authentication value calculated according to the IP header identifier in the packet flow, the hard disk serial number of the access terminal, the main board serial number of the access terminal, and the MD5 algorithm has better forgery prevention performance.
In the first aspect of the present application, as an optional implementation manner, after the determining whether the digest value of the packet traffic is correct, before the establishing a session with the access terminal and reinjecting a data packet, the method further includes:
and judging whether the binding relationship between the source IP in the message flow and the MAC address in the message flow is correct or not, if so, pointing to the access terminal to establish a session and reinjecting a data packet.
In this optional embodiment, by determining the binding relationship between the source IP in the packet traffic and the MAC address in the packet traffic, the MAC address of the access terminal or the source IP of the access terminal can be prevented from being forged, thereby improving the accuracy of the admission control.
In the first aspect of the present application, as an optional implementation manner, before receiving the packet traffic sent by the access terminal, the method further includes:
receiving an authentication request of the access terminal, wherein the authentication request comprises authentication user information of the access terminal, a hard disk serial number of the access terminal, a mainboard serial number of the access terminal and a data packet source IP address;
and carrying out authentication response on the authentication request, and storing the authentication user information of the access terminal, the hard disk serial number of the access terminal, the mainboard serial number of the access terminal and the data packet source IP address after the authentication is successful.
In this optional embodiment, by authenticating the access terminal, the authenticated user information of the access terminal, the serial number of the hard disk of the access terminal, the serial number of the motherboard of the access terminal, and the IP address of the data packet source may be stored.
In a second aspect of the present application, a terminal admission control apparatus is disclosed, where the apparatus is applied in an admission server, and the apparatus includes:
the first receiving module is used for receiving the message flow sent by the access terminal;
a first judging module, configured to, when a target IP address of the packet traffic is different from a local IP address, judge whether a session exists with the access terminal according to a quintuple of the packet traffic;
the second judging module is used for judging whether the message flow is a TCP message or not when the session does not exist;
a third judging module, configured to, when the packet traffic is the TCP packet, judge whether the packet traffic is a TCP syn packet;
a fourth judging module, configured to judge whether an MAC address in the message traffic is online when the message traffic is the tcp syn message;
and the fifth judging module is used for judging whether the abstract value of the message flow is correct or not when the MAC address in the message flow is online, and if the abstract value of the message flow is correct, establishing a session with the access terminal and reinjecting a data packet so as to complete the access of the access terminal.
The device can judge whether a session exists with the access terminal according to a quintuple of the message flow when the target IP address of the message flow is different from the IP address of the local machine, further judge whether the message flow is a TCP message when the session does not exist, further judge whether the message flow is a TCP message when the message flow is the TCP message, further judge whether the message flow is the TCPSYN message when the message flow is the TCPSYN message, further judge whether the MAC address in the message flow is online, further judge whether the abstract value of the message flow is correct when the MAC address in the message flow is online, if the abstract value of the message flow is correct, establish the session with the access terminal and reinject a data packet, and finally realize the access control of the access terminal. On the other hand, the method and the device can avoid the influence of the additional watermark adding on the network.
A third aspect of the present application discloses an admission server, comprising:
a processor; and
a memory configured to store machine readable instructions, which when executed by the processor, cause the processor to perform a terminal admission control method according to the first aspect of the present application.
When the target IP address of the message flow is different from the IP address of the local machine, the access server can judge whether a session exists with the access terminal according to the quintuple of the message flow, further judge whether the message flow is a TCP message when the session does not exist, further judge whether the message flow is a TCP message when the message flow is the TCP message, further judge whether the message flow is the TCPSYN message when the message flow is the TCPSYN message, further judge whether the MAC address in the message flow is online, further judge whether the abstract value of the message flow is correct when the MAC address in the message flow is online, if the abstract value of the message flow is correct, establish the session with the access terminal and reinject a data packet, and finally realize the access control of the access terminal. On the other hand, the method and the device can avoid the influence of the additional watermark adding on the network.
A fourth aspect of the present application discloses a storage medium storing a computer program, which is executed by a processor to perform the terminal admission control method of the first aspect of the present application.
When the target IP address of the message flow is different from the IP address of the local machine, the storage medium can judge whether a session exists with the access terminal according to the quintuple of the message flow, further judge whether the message flow is a TCP message when the session does not exist, further judge whether the message flow is a TCP message when the message flow is the TCP message, further judge whether the message flow is the TCPSYN message when the message flow is the TCPSYN message, further judge whether the MAC address in the message flow is online, further judge whether the abstract value of the message flow is correct when the MAC address in the message flow is online, if the abstract value of the message flow is correct, establish the session with the access terminal and reinject a data packet, and finally realize the access control of the access terminal. On the other hand, the method and the device can avoid the influence of the additional watermark adding on the network.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a terminal admission control method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a terminal admission control apparatus according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an admission server according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Example one
Referring to fig. 1, fig. 1 is a flowchart illustrating a terminal admission control method according to an embodiment of the present application. As shown in fig. 1, the method of the embodiment of the present application includes the steps of:
101. receiving message flow sent by an access terminal;
102. when the target IP address of the message flow is different from the IP address of the local machine, judging whether a session exists with the access terminal according to the quintuple of the message flow;
103. when the session does not exist, judging whether the message flow is a TCP message;
104. when the message flow is a TCP message, judging whether the message flow is a TCP SYN message;
105. when the message flow is a TCPSYN message, judging whether an MAC address in the message flow is online or not;
106. when the MAC address in the message flow is on-line, judging whether the abstract value of the message flow is correct, if so, establishing a session with the access terminal and reinjecting a data packet to complete the access of the access terminal.
The method of the embodiment of the application can judge whether a session exists with an access terminal according to a quintuple of the message flow when a target IP address of the message flow is different from a local IP address, further judge whether the message flow is a TCP message when the session does not exist, further judge whether the message flow is a TCP message when the message flow is the TCP message, further judge whether an MAC address in the message flow is online when the message flow is the TCP message, further judge whether a digest value of the message flow is correct when the MAC address in the message flow is online, establish a session with the access terminal and reinject a data packet if the digest value of the message flow is correct, and finally realize the access control of the access terminal, compared with the prior art, the embodiment of the application does not need to judge whether a terminal is in an NAT environment to carry out access control on the terminal, namely the embodiment of the application can realize the access control on the terminal in the NAT environment, and the access control can be carried out on the terminal which is not in the NAT environment, so that the method has a better application range. On the other hand, the method and the device can avoid the influence of the additional watermark adding on the network.
It should be noted that the traffic of the access terminal is redirected to the admission server by configuring policy routing on the switch.
In this embodiment, as an optional implementation manner, the method in this embodiment further includes:
and when the target IP address of the message flow is the same as the IP address of the local machine, responding to the message flow.
In this optional embodiment, if the destination IP address of the message traffic is the same as the local IP address, the message traffic is responded.
In the embodiment of the present application, as an optional implementation method, the method in the embodiment of the present application further includes the steps of:
and when judging that the session exists with the access terminal according to the quintuple of the message flow, reinjecting the data packet to the access terminal.
In this alternative embodiment, if a session exists with the access terminal, the data packet is reinjected to the access terminal.
In the embodiment of the present application, as an optional implementation method, the method in the embodiment of the present application further includes the steps of:
and when the message flow is not a TCP SYN message, judging whether a source IP in the message flow is online, if so, establishing a session with the accessed terminal and reinjecting a data packet.
In this alternative embodiment, when the message traffic is not a TCP SYN message, it may be determined whether to establish a session with the accessed terminal and to reinject packets according to the source IP presence status in the message traffic.
In this embodiment of the present application, as an optional implementation manner, a specific manner for determining whether the digest value of the message traffic is correct is as follows:
calculating to obtain a digest verification value according to the IP header identifier in the message flow, the hard disk serial number of the access terminal, the main board serial number of the access terminal and an MD5 algorithm;
and comparing the abstract verification value with the abstract value of the message flow, and if the abstract value of the message flow is the same as the abstract verification value, determining that the abstract value of the message flow is correct.
In this optional embodiment, since the IP header identifier in each packet flow of the access terminal is different, and the hard disk serial number of the access terminal and the main board serial number of the access terminal are difficult to be forged, the digest authentication value calculated according to the IP header identifier in the packet flow, the hard disk serial number of the access terminal, the main board serial number of the access terminal, and the MD5 algorithm has better forgery prevention performance.
In this embodiment, as an optional implementation manner, after determining whether the digest value of the message traffic is correct, before establishing a session with the access terminal and reinjecting a data packet, the method according to this embodiment further includes:
and judging whether the binding relationship between the source IP in the message flow and the MAC address in the message flow is correct or not, if so, pointing to establish a session with the access terminal and reinjecting a data packet.
In this optional embodiment, by determining the binding relationship between the source IP in the packet traffic and the MAC address in the packet traffic, the MAC address of the access terminal or the source IP of the access terminal can be prevented from being forged, thereby improving the accuracy of the admission control.
In this embodiment, as an optional implementation manner, before receiving a message traffic sent by an access terminal, the method in this embodiment further includes:
receiving an authentication request of an access terminal, wherein the authentication request comprises authentication user information of the access terminal, a hard disk serial number of the access terminal, a mainboard serial number of the access terminal and a data packet source IP address;
and carrying out authentication response on the authentication request, and storing the authentication user information of the access terminal, the hard disk serial number of the access terminal, the mainboard serial number of the access terminal and the data packet source IP address after the authentication is successful.
In this optional embodiment, by authenticating the access terminal, the authenticated user information of the access terminal, the serial number of the hard disk of the access terminal, the serial number of the motherboard of the access terminal, and the IP address of the data packet source may be stored.
Example two
Referring to fig. 2, fig. 2 is a schematic structural diagram of a terminal admission control apparatus according to an embodiment of the present application. As shown in fig. 2, the apparatus of the embodiment of the present application includes:
a first receiving module 201, configured to receive a message traffic sent by an access terminal;
a first judging module 202, configured to, when a target IP address of the packet traffic is different from a local IP address, judge whether a session exists with the access terminal according to a quintuple of the packet traffic;
a second judging module 203, configured to judge whether the packet flow is a TCP packet when there is no session;
a third determining module 204, configured to determine whether the message traffic is a TCP message when the message traffic is the TCP message;
a fourth determining module 205, configured to determine whether an MAC address in the message traffic is online when the message traffic is a tcp syn message;
a fifth judging module 206, configured to judge whether the digest value of the packet traffic is correct when the MAC address in the packet traffic is online, and if the digest value of the packet traffic is correct, establish a session with the access terminal and reinject a data packet to complete the admission of the access terminal.
The device of the embodiment of the application can judge whether a session exists with the access terminal according to a quintuple of the message flow when a target IP address of the message flow is different from a local IP address, further judge whether the message flow is a TCP message when the session does not exist, further judge whether the message flow is a TCP message when the message flow is the TCP message, further judge whether the message flow is the TCPSYN message when the message flow is the TCPSYN message, further judge whether an MAC address in the message flow is online, further judge whether an abstract value of the message flow is correct when the MAC address in the message flow is online, if the abstract value of the message flow is correct, establish the session with the access terminal and reinject a data packet, and finally realize access control of the access terminal. On the other hand, the method and the device can avoid the influence of the additional watermark adding on the network.
Please refer to the first embodiment of the present application for other descriptions of the apparatus according to the embodiments of the present application, which are not repeated herein.
EXAMPLE III
Referring to fig. 3, fig. 3 is a schematic structural diagram of an admission server according to an embodiment of the present application. As shown in fig. 3, an admission server according to an embodiment of the present application includes:
a processor 301; and
the memory 302 is configured to store machine-readable instructions, which when executed by the processor 301, cause the processor 301 to execute the terminal admission control method according to the first embodiment of the present application.
The admission server of the embodiment of the application can judge whether a session exists with an access terminal according to a quintuple of message flow when a target IP address of the message flow is different from a local IP address, further judge whether the message flow is a TCP message when the session does not exist, further judge whether the message flow is a TCP message when the message flow is the TCP message, further judge whether the message flow is the TCPSYN message when the message flow is the TCPSYN message, further judge whether an MAC address in the message flow is online, further judge whether an abstract value of the message flow is correct when the MAC address in the message flow is online, if the abstract value of the message flow is correct, establish the session with the access terminal and reinject a data packet, and finally realize admission control of the access terminal. On the other hand, the embodiment of the application can avoid the influence of additionally adding the watermark on the network.
Example four
The embodiment of the application discloses a storage medium, wherein a computer program is stored in the storage medium, and the computer program is executed by a processor to execute the terminal admission control method of the embodiment of the application.
When the target IP address of the message traffic is different from the local IP address, the storage medium according to the embodiment of the present application can determine whether a session exists with the access terminal according to the quintuple of the message traffic, and then determine whether the message traffic is a TCP message when the session does not exist, and further determine whether the message traffic is a TCP message when the message traffic is the TCP message, and further determine whether the MAC address in the message traffic is online when the message traffic is the TCP message, and further determine whether the digest value of the message traffic is correct when the MAC address in the message traffic is online, if the digest value of the message traffic is correct, establish a session with the access terminal and reinject a data packet, thereby finally implementing access control of the access terminal. On the other hand, the embodiment of the application can avoid the influence of additionally adding the watermark on the network.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of one logic function, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
It should be noted that the functions, if implemented in the form of software functional modules and sold or used as independent products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A terminal admission control method is applied to an admission server, and is characterized in that the method comprises the following steps:
receiving message flow sent by an access terminal;
when the target IP address of the message flow is different from the IP address of the local machine, judging whether a session exists with the access terminal according to the quintuple of the message flow;
when the session does not exist, judging whether the message flow is a TCP message;
when the message flow is the TCP message, judging whether the message flow is a TCPSYN message;
when the message flow is the TCPSYN message, judging whether an MAC address in the message flow is online or not;
and when the MAC address in the message flow is online, judging whether the abstract value of the message flow is correct, if so, establishing a session with the access terminal and reinjecting a data packet to complete the access of the access terminal.
2. The method of claim 1, wherein the method further comprises:
and when the target IP address of the message flow is the same as the IP address of the local machine, responding to the message flow.
3. The method of claim 1, wherein the method further comprises:
and when judging that the conversation exists with the access terminal according to the quintuple of the message flow, reinjecting the data packet to the access terminal.
4. The method of claim 1, wherein the method further comprises:
and when the message flow is not a TCP SYN message, judging whether a source IP in the message flow is online, if so, establishing a session with the accessed terminal and reinjecting a data packet.
5. The method of claim 1, wherein said determining whether the digest value of the message traffic is correct comprises:
calculating to obtain a digest verification value according to the IP header identifier in the message flow, the hard disk serial number of the access terminal, the main board serial number of the access terminal and an MD5 algorithm;
and comparing the abstract verification value with the abstract value of the message flow, and if the abstract value of the message flow is the same as the abstract verification value, determining that the abstract value of the message flow is correct.
6. The method of claim 1, wherein after the determining whether the digest value of the message traffic is correct, and before the establishing a session with the access terminal and reinjecting data packets, the method further comprises:
and judging whether the binding relationship between the source IP in the message flow and the MAC address in the message flow is correct or not, if so, pointing to the access terminal to establish a session and reinjecting a data packet.
7. The method of claim 1, wherein prior to receiving message traffic sent by the access terminal, the method further comprises:
receiving an authentication request of the access terminal, wherein the authentication request comprises authentication user information of the access terminal, a hard disk serial number of the access terminal, a mainboard serial number of the access terminal and a data packet source IP address;
and carrying out authentication response on the authentication request, and storing the authentication user information of the access terminal, the hard disk serial number of the access terminal, the mainboard serial number of the access terminal and the data packet source IP address after the authentication is successful.
8. A terminal admission control device, which is applied in an admission server, and comprises:
the first receiving module is used for receiving the message flow sent by the access terminal;
a first judging module, configured to, when a target IP address of the packet traffic is different from a local IP address, judge whether a session exists with the access terminal according to a quintuple of the packet traffic;
the second judging module is used for judging whether the message flow is a TCP message or not when the session does not exist;
a third judging module, configured to, when the packet traffic is the TCP packet, judge whether the packet traffic is a TCP syn packet;
a fourth judging module, configured to judge whether an MAC address in the message traffic is online when the message traffic is the tcp syn message;
and the fifth judging module is used for judging whether the abstract value of the message flow is correct or not when the MAC address in the message flow is online, and if the abstract value of the message flow is correct, establishing a session with the access terminal and reinjecting a data packet so as to complete the access of the access terminal.
9. An admission server, comprising:
a processor; and
a memory configured to store machine-readable instructions, which when executed by the processor, cause the processor to perform a terminal admission control method according to any of claims 1-7.
10. A storage medium, characterized in that the storage medium stores a computer program, which is executed by a processor to perform a terminal admission control method according to any of claims 1-7.
CN202011491025.8A 2020-12-17 2020-12-17 Terminal access control method, device, access server and storage medium Active CN112615854B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011491025.8A CN112615854B (en) 2020-12-17 2020-12-17 Terminal access control method, device, access server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011491025.8A CN112615854B (en) 2020-12-17 2020-12-17 Terminal access control method, device, access server and storage medium

Publications (2)

Publication Number Publication Date
CN112615854A true CN112615854A (en) 2021-04-06
CN112615854B CN112615854B (en) 2022-07-12

Family

ID=75240147

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011491025.8A Active CN112615854B (en) 2020-12-17 2020-12-17 Terminal access control method, device, access server and storage medium

Country Status (1)

Country Link
CN (1) CN112615854B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113904950A (en) * 2021-12-06 2022-01-07 广东睿江云计算股份有限公司 Stream-based network monitoring method and device, computer equipment and storage medium
CN113938460A (en) * 2021-11-25 2022-01-14 湖北天融信网络安全技术有限公司 Network detection method and device, electronic equipment and storage medium
CN116527628A (en) * 2023-07-03 2023-08-01 北京左江科技股份有限公司 Network address conversion method and system based on security situation awareness

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070022474A1 (en) * 2005-07-21 2007-01-25 Mistletoe Technologies, Inc. Portable firewall
US20100161795A1 (en) * 2008-12-22 2010-06-24 Kindsight Apparatus and method for multi-user nat session identification and tracking
CN102307123A (en) * 2011-09-06 2012-01-04 电子科技大学 NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic
CN105656875A (en) * 2015-10-21 2016-06-08 乐卡汽车智能科技(北京)有限公司 Main stream connection building method and device based on MPTCP (Multi-Path Transmission Control Protocol)

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070022474A1 (en) * 2005-07-21 2007-01-25 Mistletoe Technologies, Inc. Portable firewall
US20100161795A1 (en) * 2008-12-22 2010-06-24 Kindsight Apparatus and method for multi-user nat session identification and tracking
CN102307123A (en) * 2011-09-06 2012-01-04 电子科技大学 NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic
CN105656875A (en) * 2015-10-21 2016-06-08 乐卡汽车智能科技(北京)有限公司 Main stream connection building method and device based on MPTCP (Multi-Path Transmission Control Protocol)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113938460A (en) * 2021-11-25 2022-01-14 湖北天融信网络安全技术有限公司 Network detection method and device, electronic equipment and storage medium
CN113904950A (en) * 2021-12-06 2022-01-07 广东睿江云计算股份有限公司 Stream-based network monitoring method and device, computer equipment and storage medium
CN116527628A (en) * 2023-07-03 2023-08-01 北京左江科技股份有限公司 Network address conversion method and system based on security situation awareness
CN116527628B (en) * 2023-07-03 2023-09-29 北京左江科技股份有限公司 Network address conversion method and system based on security situation awareness

Also Published As

Publication number Publication date
CN112615854B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
CN112615854B (en) Terminal access control method, device, access server and storage medium
US9203734B2 (en) Optimized bi-directional communication in an information centric network
US10097530B2 (en) Security authentication method and bidirectional forwarding detection BFD device
US9762546B2 (en) Multi-connection system and method for service using internet protocol
CN100361452C (en) Method and device for server denial of service shield
CN111064755B (en) Data protection method and device, computer equipment and storage medium
CN103905194B (en) Identity traceability authentication method and system
CN110289999B (en) Data processing method, system and device
CN113055176B (en) Terminal authentication method and system, terminal device, P2P verification platform and medium
EP2285041A1 (en) Communication establishing method, system and device
JP2022554101A (en) PACKET PROCESSING METHOD AND APPARATUS, DEVICE, AND COMPUTER-READABLE STORAGE MEDIUM
CN105162763B (en) Communication data processing method and device
CN104580553A (en) Identification method and device for network address translation device
CN107800723A (en) CC attack guarding methods and equipment
EP2239883B1 (en) Method, device, system, client node, peer node and convergent point for preventing node from forging identity
CN104883362A (en) Method and device for controlling abnormal access behaviors
CN108418844A (en) A kind of means of defence of application layer attack and attack protection end
CN108462672A (en) A kind of authentication protection method and system of reply network attack
CN113472545B (en) Equipment network access method, device, equipment, storage medium and communication system
CN114070573A (en) Authentication method, device and system for network access
CN105991466A (en) Information backup method and information backup device
CN114024781B (en) Electric power Internet of things low-speed stable equipment access method based on edge calculation
CN113572868B (en) Dynamic dial-up networking method and system
CN116846687B (en) Network security monitoring method, system, device and storage medium
US20230269236A1 (en) Automatic proxy system, automatic proxy method and non-transitory computer readable medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant