CN113206845B - Network access control method, device, computer equipment and storage medium - Google Patents
Network access control method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN113206845B CN113206845B CN202110467501.0A CN202110467501A CN113206845B CN 113206845 B CN113206845 B CN 113206845B CN 202110467501 A CN202110467501 A CN 202110467501A CN 113206845 B CN113206845 B CN 113206845B
- Authority
- CN
- China
- Prior art keywords
- v2ray
- network access
- access
- allowed
- websites
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a network access control method, a network access control device, computer equipment and a storage medium. The method comprises the following steps: when an access request of a terminal for accessing a target website is received, acquiring a terminal identifier carried in the access request; according to the terminal identification, acquiring an employee identification associated with the terminal identification; according to the employee identification of the employee, acquiring a network access level associated with the employee identification; matching a corresponding access control strategy according to the network access level, wherein the access control strategy is based on a v2ray routing rule configured by a v2ray component in advance according to the network access level; and forwarding the access request to a v2ray monitoring port corresponding to the access control strategy, so that staff accesses a designated website conforming to the network access level, and realizing access control on designated equipment by forwarding the access request to the access control based on the realization of the v2ray, thereby improving the customization degree.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to a network access control method, a device, a computer device, and a storage medium.
Background
As the life of people is increasingly being affected by the internet, access control to internal networking devices is becoming more and more important to enterprises, and many routers are presented for controlling network access of internal networking devices.
The router for controlling different devices to access the network can only make simple control for a single device, for example, a tp-link commercial router is taken as an example, although website filtering can be set, so that all users using the network are prevented from accessing certain websites, such as shopping websites, and a part of the websites which are required to be accessed to be prevented due to different working contents cannot be accessed by using the network.
Therefore, the current method for controlling network access has low customization degree.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a network access control method, apparatus, computer device, and storage medium that can improve the degree of customization.
A method of network access control, the method comprising:
when an access request of a terminal for accessing a target website is received, acquiring a terminal identifier carried in the access request;
according to the terminal identification, acquiring an employee identification associated with the terminal identification;
according to the employee identification of the employee, acquiring a network access level associated with the employee identification;
matching a corresponding access control strategy according to the network access level, wherein the access control strategy is based on a v2ray routing rule configured by a v2ray component in advance according to the network access level;
and forwarding the access request to a v2ray monitoring port corresponding to the access control strategy, so that the staff accesses the appointed website conforming to the network access grade.
In one embodiment, the method further comprises:
and acquiring employee identifications, network access levels and used terminal identifications of the employees from the employee management system in real time, and updating the current employee identifications, network access levels and used terminal identifications of the employees.
In one embodiment, the configuration mode of the v2ray routing rule is as follows:
according to the work content of each employee, determining the websites which each employee is allowed to visit or the websites which each employee is not allowed to visit;
classifying the same staff as the allowed websites according to the websites which the staff is allowed to access or the websites which the staff is not allowed to access, and determining the staff website access type;
determining a corresponding network access level according to the website which is allowed to be accessed or the website which is not allowed to be accessed corresponding to the employee website access type;
defining a v2ray monitoring port corresponding to the network access level based on a v2ray component;
and setting a routing rule of the v2ray monitoring port according to the network access level corresponding to the websites which are allowed to be accessed or the websites which are not allowed to be accessed, and controlling the online of each employee to access different websites.
In one embodiment, the step of setting a routing rule of the v2ray monitoring port according to the website which is allowed to be accessed or not allowed to be accessed according to the network access level, and controlling the staff to access to different websites in a surfing manner includes:
adding the websites which are allowed to be accessed into the white list of the v2ray monitoring port according to the websites which are allowed to be accessed corresponding to the network access level, so that the v2ray monitoring port monitors the websites in the white list, and when the websites which are not in the white list are monitored to be accessed, the websites are prevented from being accessed;
and adding the website which is not allowed to access into a blacklist of the v2ray monitoring port according to the website which is not allowed to access corresponding to the network access level, so that the v2ray monitoring port monitors the website in the blacklist, and when the website in the blacklist is monitored to be accessed, the access is prevented.
In one embodiment, the method further comprises:
and when the employee identification associated with the terminal identification is not acquired or the network access level associated with the employee identification is not acquired, forwarding the access request to a default v2ray monitoring port, and preventing the access request from accessing the target website through the v2ray monitoring port.
A network access control apparatus, the apparatus comprising:
the request receiving module is used for acquiring a terminal identifier carried in an access request when the access request of the terminal to a target website is received;
the staff matching module is used for acquiring staff identification associated with the terminal identification according to the terminal identification;
the network access level acquisition module is used for acquiring the network access level associated with the employee identification according to the employee identification of the employee;
the matching module is used for matching a corresponding access control strategy according to the network access level, wherein the access control strategy is based on a v2ray routing rule configured by a v2ray component in advance according to the network access level;
and the network access control module is used for forwarding the access request to a v2ray monitoring port corresponding to the access control strategy so that staff can access a designated website conforming to the network access grade.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the method when the processor executes the computer program.
A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method.
According to the network access control method, the network access control device, the computer equipment and the storage medium, when an access request of a terminal for accessing a target website is received, a terminal identifier carried in the access request is obtained; according to the terminal identification, acquiring an employee identification associated with the terminal identification; according to the employee identification of the employee, acquiring a network access level associated with the employee identification; matching a corresponding access control strategy according to the network access level, wherein the access control strategy is based on a v2ray routing rule configured by a v2ray component in advance according to the network access level; and forwarding the access request to a v2ray monitoring port corresponding to the access control strategy, so that staff accesses a designated website conforming to the network access level, and realizing access control on designated equipment by forwarding the access request to the access control based on the realization of the v2ray, thereby improving the customization degree.
Drawings
FIG. 1 is a flow diagram of a method of controlling network access in one embodiment;
FIG. 2 is a flow chart of a method of controlling network access according to another embodiment;
fig. 3 is a block diagram of a network access control device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The network access control method provided by the application can be applied to the environment of small enterprise network access control. The method comprises the steps that an openwrt open source router is taken as a main body, the openwrt open source router can be realized by a computer with double network ports, an operating system of the openwrt open source router is downloaded and installed in the computer with double network ports, the operating system of the openwrt open source router is started, a v2ray component is installed, a v2ray routing rule is configured, the openwrt open source router realizes network access control on all internet surfing equipment under the openwrt open source router through a network access control method, the openwrt is a Linux release version suitable for embedded equipment, a writable file system capable of adding software packages is provided, and the system is a router system with high customization degree; v2ray is a flow agent distributing software, and concurrently supports a plurality of inbound and outbound protocols, each of which can work independently, and inbound flows can be sent out by different outlets according to configuration, so that splitting according to areas or domain names can be easily realized, and the optimal network performance can be achieved.
When a flow forwarding program of an openwrt open source router receives an access request of a terminal for accessing a target website, acquiring a terminal identifier carried in the access request; the flow forwarding program of the openwrt open source router acquires employee identification associated with the terminal identification according to the terminal identification; the flow forwarding program of the openwrt open source router acquires a network access level associated with an employee identifier according to the employee identifier; the flow forwarding program of the openwrt open source router matches a corresponding access control strategy according to the network access level, wherein the access control strategy is based on a v2ray routing rule configured by a v2ray component in advance according to the network access level; and forwarding the access request to a v2ray monitoring port corresponding to the access control strategy by a flow forwarding program of the openwrt open source router, so that the employee accesses a designated website conforming to the network access level.
In one embodiment, as shown in fig. 1, a network access control method is provided, which uses an openwrt open source router as an execution body, and includes the following steps:
step S220, when an access request of the terminal to access the target website is received, a terminal identification carried in the access request is obtained.
Wherein the terminal is a terminal under a local area network of an openwrt open source router. The target website refers to a website accessed by the access request, and the terminal identifier is information for identifying the terminal, such as an IP address, a terminal identification code, and the like.
Step S240, according to the terminal identification, the employee identification associated with the terminal identification is obtained.
Wherein employee identification of employees, network access level, and terminal identification used. The staff identification of the staff can be correspondingly searched in the database through the terminal identification.
In one embodiment, the network access control method further includes:
and acquiring employee identifications, network access levels and used terminal identifications of the employees from the employee management system in real time, and updating the current employee identifications, network access levels and used terminal identifications of the employees.
The network management staff of the enterprise edits staff marks of staff, network access levels and used terminal marks through the staff management system, or updates staff marks of staff, the network access levels and the used terminal marks, and the openwrt open source router performs data interaction with the staff management system in real time to acquire the staff marks of the current staff, the network access levels and the used terminal marks, and can accurately control network access of the staff when an access request exists.
Step S260, according to the employee identification, acquiring the network access level associated with the employee identification.
The network access level is associated with the employee identification, and the associated network access level can be obtained according to the employee identification after the employee identification is determined.
Step S280, according to the network access level, matching a corresponding access control strategy, wherein the access control strategy is based on a v2ray routing rule configured by a v2ray component in advance according to the network access level.
Wherein, different network access levels correspond to different access control strategies, and the corresponding access control strategies are matched through the corresponding relation between the network access levels and the access control strategies.
In one embodiment, the v2ray routing rules are configured in the following manner:
according to the work content of each employee, determining the websites which each employee is allowed to visit or the websites which each employee is not allowed to visit; classifying the same staff as the allowed websites according to the websites which the staff is allowed to access or the websites which the staff is not allowed to access, and determining the type of the staff website access; determining a corresponding network access level according to the website which is allowed to be accessed or the website which is not allowed to be accessed corresponding to the employee website access type; defining a v2ray monitoring port corresponding to the network access level based on the v2ray component; and setting a routing rule of a v2ray monitoring port according to the network access level corresponding to the websites which are allowed to be accessed or the websites which are not allowed to be accessed, and controlling the access of each employee to the Internet of different websites.
In one embodiment, the step of setting a routing rule of a v2ray monitoring port according to a website which is allowed to be accessed or a website which is not allowed to be accessed corresponding to a network access level, and controlling the access of each employee to different websites comprises the following steps: adding the websites which are allowed to be accessed into a white list of the v2ray monitoring port according to the websites which are allowed to be accessed according to the network access level, enabling the v2ray monitoring port to monitor the websites in the white list, and preventing access when the websites which are not in the white list are monitored to be accessed; and adding the websites which are not allowed to access into a blacklist of the v2ray monitoring port according to the websites which are not allowed to access according to the network access level, so that the v2ray monitoring port monitors the websites in the blacklist, and when the websites in the blacklist are monitored to be accessed, the websites are prevented from being accessed.
And step S300, forwarding the access request to a v2ray monitoring port corresponding to the access control strategy, so that the staff accesses the appointed website conforming to the network access level.
The v2ray monitoring port establishes a corresponding blacklist or a whitelist, if the v2ray monitoring port establishes the blacklist, the v2ray monitoring port prevents access by judging whether a target website accessed by the access request is a website in the blacklist or not, if the target website is a website in the blacklist, the access is prevented, and if the target website is not, the access is allowed; if the v2ray monitoring port establishes a white list, the v2ray monitoring port allows access by judging whether the target website accessed by the access request is a website in the white list or not, if so, the access is allowed, and if not, the access is blocked.
According to the network access control method, when an access request of a terminal for accessing a target website is received, a terminal identifier carried in the access request is obtained; determining staff using the terminal according to the terminal identification; according to employee identification of the employee, acquiring a network access level associated with the employee identification; matching a corresponding access control strategy according to the network access level, wherein the access control strategy is based on a v2ray routing rule preconfigured by a v2ray component; and forwarding the access request to a v2ray monitoring port corresponding to the access control strategy, so that staff can access a designated website conforming to the network access level, and the access control of designated equipment is realized by forwarding the access request to the access control realized based on the v2ray, thereby improving the customization degree.
In one embodiment, the network access control method further includes: when the employee identification associated with the terminal identification is not acquired, or the network access level associated with the employee identification is not acquired, forwarding the access request to a default v2ray monitoring port, and preventing the access request from accessing the target website through the v2ray monitoring port.
The default v2ray monitoring port prohibits the request access of all websites.
In order to more clearly describe the application, which is applied to the construction of small enterprise networking, the application needs to make fine control on the online behavior of staff and is integrated with a staff management system, provides an embodiment of a network access control method, which comprises the following steps:
before executing the network access control method, the open source router is built in advance, and the specific steps are as follows:
step one: and downloading and installing an openwrt open source router operating system by adopting a computer with double network ports.
Step two: and starting an operating system of the openwrt open source router, installing a v2ray component, configuring a v2ray routing rule, and completing the construction of the openwrt open source router.
Configuration v2ray routing rules exemplify: defining a v2ray listening port, such as: 10011, then defining a routing rule for the traffic flowing into the v2ray listening port (i.e. the access request through the v2ray listening port), the routing rule defining that the traffic flowing from the 10011v2ray listening port can only access the website example a.com, and other websites can not access. Thus, there is an access control policy, which is assumed to be level1. More access control policies may be set according to needs, for example, a v2ray listening port 10012 of level2 is set, and a routing rule is exeb.com, so that there is one access control policy that can only access exeb.com, more access control policies may be customized according to needs, in the above example, only one website is configured, or may be configured according to needs, and access to websites exea.com and exeb.com may be simultaneously prohibited, while other websites may be configured.
As shown in fig. 2, a network access control method is performed:
by using a flow forwarding program (the flow forwarding program is a control program in an operating system of an openwrt open source router and is realized based on iptables, the iptables of the openwrt router are configured to realize flow forwarding by acquiring IP and authority information of employee networking equipment from an enterprise employee management system), the flow is forwarded (namely, an access request sent by a terminal under a local area network of the openwrt open source router), and assuming that the computer IP address of an employee A is 192.168.0.101, the network access level determined according to the computer IP address can only access website example A.com, the flow of the computer IP address is forwarded to 10011 entirely, so that the employee A can only access website example A.com; assuming that the computer IP address of employee B is 192.168.0.102, the network access level determined according to the computer IP address may only access the website example b.com, and then the traffic of the computer IP address is forwarded to 10012, thereby implementing that employee B may only access the website example b.com.
The flow forwarding program acquires employee surfing authorities (the employee surfing authorities comprise employee identifications, network access levels and used terminal identifications of the employees) from the employee management system in real time, and updates the current employee identifications, network access levels, used terminal identifications and surfing states of the employees.
The flow forwarding program also determines the surfing state of the staff according to the flowing flow, reports the surfing state of the staff to the staff management system, so that the staff management system can further analyze the surfing behavior of the staff, such as what website is accessed by the computer and what file is downloaded; and network failure cause, etc.
The network access control method is mainly based on an openwrt open source router system, realizes access control strategies for websites by using a v2ray component, reads terminal IP addresses and internet access authority information of staff from an enterprise staff management system, forwards traffic to different access control strategies realized on the basis of the v2ray component by combining iptables, and realizes fine control on equipment surfing and low-cost highly customizable small enterprise network access control; furthermore, the control of the employee internet access authority is aimed at and integrated with an employee management system of an enterprise, so that the integration of the employee internet access and the employee management system is realized, and the defect that a commercial router cannot be highly customized and integrated is overcome.
It should be understood that, although the steps in the flowchart of fig. 1 are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in fig. 1 may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of other steps or sub-steps of other steps.
In one embodiment, as shown in fig. 3, there is provided a network access control apparatus, including: a request receiving module 410, an employee matching module 420, a network access level obtaining module 430, a matching module 440, and a network access control module 450.
The request receiving module 410 is configured to, when receiving an access request for accessing a target website by a terminal, obtain a terminal identifier carried in the access request.
And the employee matching module 420 is configured to obtain, according to the terminal identifier, an employee identifier associated with the terminal identifier.
The network access level obtaining module 430 is configured to obtain, according to an employee identifier of an employee, a network access level associated with the employee identifier.
The matching module 440 is configured to match a corresponding access control policy according to the network access level, where the access control policy is based on a v2ray routing rule configured by the v2ray component in advance according to the network access level.
The network access control module 450 is configured to forward the access request to a v2ray monitoring port corresponding to the access control policy, so that the employee accesses a specified website conforming to the network access level.
In one embodiment, the network access control device further includes an information acquisition module: the system is used for acquiring employee identification, network access level and used terminal identification of the employee from the employee management system in real time, and updating the current employee identification, network access level and used terminal identification of the employee.
In one embodiment, the network access control device further comprises a rule configuration module: the system is used for determining websites which each employee is allowed to visit or websites which each employee is not allowed to visit according to the work content of each employee; classifying the same staff as the allowed websites according to the websites which the staff is allowed to access or the websites which the staff is not allowed to access, and determining the type of the staff website access; determining a corresponding network access level according to the website which is allowed to be accessed or the website which is not allowed to be accessed corresponding to the employee website access type; defining a v2ray monitoring port corresponding to the network access level based on the v2ray component; and setting a routing rule of a v2ray monitoring port according to the network access level corresponding to the websites which are allowed to be accessed or the websites which are not allowed to be accessed, and controlling the access of each employee to the Internet of different websites.
In one embodiment, the rule configuration module is further to: adding the websites which are allowed to be accessed into a white list of the v2ray monitoring port according to the websites which are allowed to be accessed according to the network access level, enabling the v2ray monitoring port to monitor the websites in the white list, and preventing access when the websites which are not in the white list are monitored to be accessed; and adding the websites which are not allowed to access into a blacklist of the v2ray monitoring port according to the websites which are not allowed to access according to the network access level, so that the v2ray monitoring port monitors the websites in the blacklist, and when the websites in the blacklist are monitored to be accessed, the websites are prevented from being accessed.
In one embodiment, the network access control module is further to: when the employee identification associated with the terminal identification is not acquired, or the network access level associated with the employee identification is not acquired, forwarding the access request to a default v2ray monitoring port, and preventing the access request from accessing the target website through the v2ray monitoring port.
The specific limitation of the network access control device can be referred to the limitation of the network access control method hereinabove, and will not be repeated here. The respective modules in the above network access control device may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, including a memory storing a computer program and a processor implementing the steps of the network access control method described above when the processor executes the computer program.
In one embodiment, a computer readable storage medium is provided, on which a computer program is stored which, when executed by a processor, implements the steps of the network access control method described above.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.
Claims (6)
1. The network access control method is characterized by being applied to network access control of all internet surfing equipment under an openwrt open source router in a small enterprise network access control environment, and comprises the following steps:
when a flow forwarding program of an openwrt open source router receives an access request of a terminal to access a target website, acquiring a terminal identifier carried in the access request, wherein the terminal is under a local area network of the openwrt open source router;
the flow forwarding program of the openwrt open source router acquires employee identification associated with the terminal identification according to the terminal identification;
the flow forwarding program of the openwrt open source router acquires a network access level associated with the employee identification according to the employee identification;
the flow forwarding program of the openwrt open source router matches a corresponding access control strategy according to the network access level, wherein the access control strategy is based on a v2ray routing rule configured by a v2ray component in advance according to the network access level;
the flow forwarding program of the openwrt open source router forwards the access request to a v2ray monitoring port corresponding to the access control strategy, so that staff accesses a designated website conforming to the network access level;
the configuration mode of the v2ray routing rule is as follows:
according to the work content of each employee, determining the websites which each employee is allowed to visit or the websites which each employee is not allowed to visit;
classifying the same staff as the allowed websites according to the websites which the staff is allowed to access or the websites which the staff is not allowed to access, and determining the staff website access type;
determining a corresponding network access level according to the website which is allowed to be accessed or the website which is not allowed to be accessed corresponding to the employee website access type;
defining a v2ray monitoring port corresponding to the network access level based on a v2ray component;
setting a routing rule of the v2ray monitoring port according to the network access level corresponding to the websites which are allowed to be accessed or the websites which are not allowed to be accessed, and controlling the staff to access different websites to access the internet;
the step of setting the routing rule of the v2ray monitoring port according to the website which is allowed to be accessed or not allowed to be accessed according to the network access level, and controlling the access of the staff to the different websites comprises the following steps:
adding the websites which are allowed to be accessed into the white list of the v2ray monitoring port according to the websites which are allowed to be accessed corresponding to the network access level, so that the v2ray monitoring port monitors the websites in the white list, and when the websites which are not in the white list are monitored to be accessed, the websites are prevented from being accessed;
and adding the website which is not allowed to access into a blacklist of the v2ray monitoring port according to the website which is not allowed to access corresponding to the network access level, so that the v2ray monitoring port monitors the website in the blacklist, and when the website in the blacklist is monitored to be accessed, the access is prevented.
2. The method according to claim 1, wherein the method further comprises:
and acquiring employee identifications, network access levels and used terminal identifications of the employees from the employee management system in real time, and updating the current employee identifications, network access levels and used terminal identifications of the employees.
3. The method according to claim 1, wherein the method further comprises:
and when the employee identification associated with the terminal identification is not acquired or the network access level associated with the employee identification is not acquired, forwarding the access request to a default v2ray monitoring port, and preventing the access request from accessing the target website through the v2ray monitoring port.
4. A network access control apparatus for performing network access control on all internet access devices under an openwrt open source router in an environment of small-scale enterprise network access control, the apparatus comprising:
the request receiving module is used for acquiring a terminal identifier carried in an access request when a flow forwarding program of the openwrt open source router receives the access request of the terminal to a target website, wherein the terminal is under a local area network of the openwrt open source router;
the employee matching module is used for acquiring employee identification associated with the terminal identification according to the terminal identification by the flow forwarding program of the openwrt open source router;
the network access level acquisition module is used for acquiring the network access level associated with the employee identification according to the employee identification of the employee by the flow forwarding program of the openwrt open source router;
the matching module is used for matching a corresponding access control strategy according to the network access level by a flow forwarding program of the openwrt open source router, wherein the access control strategy is based on a v2ray routing rule configured by a v2ray component in advance according to the network access level;
the network access control module is used for forwarding the access request to a v2ray monitoring port corresponding to the access control strategy by a flow forwarding program of an openwrt open source router so that staff can access a designated website conforming to the network access level;
the configuration mode of the v2ray routing rule is as follows:
according to the work content of each employee, determining the websites which each employee is allowed to visit or the websites which each employee is not allowed to visit;
classifying the same staff as the allowed websites according to the websites which the staff is allowed to access or the websites which the staff is not allowed to access, and determining the staff website access type;
determining a corresponding network access level according to the website which is allowed to be accessed or the website which is not allowed to be accessed corresponding to the employee website access type;
defining a v2ray monitoring port corresponding to the network access level based on a v2ray component;
setting a routing rule of the v2ray monitoring port according to the network access level corresponding to the websites which are allowed to be accessed or the websites which are not allowed to be accessed, and controlling the staff to access different websites to access the internet;
the step of setting the routing rule of the v2ray monitoring port according to the website which is allowed to be accessed or not allowed to be accessed according to the network access level, and controlling the access of the staff to the different websites comprises the following steps:
adding the websites which are allowed to be accessed into the white list of the v2ray monitoring port according to the websites which are allowed to be accessed corresponding to the network access level, so that the v2ray monitoring port monitors the websites in the white list, and when the websites which are not in the white list are monitored to be accessed, the websites are prevented from being accessed;
and adding the website which is not allowed to access into a blacklist of the v2ray monitoring port according to the website which is not allowed to access corresponding to the network access level, so that the v2ray monitoring port monitors the website in the blacklist, and when the website in the blacklist is monitored to be accessed, the access is prevented.
5. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 3 when the computer program is executed.
6. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110467501.0A CN113206845B (en) | 2021-04-28 | 2021-04-28 | Network access control method, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110467501.0A CN113206845B (en) | 2021-04-28 | 2021-04-28 | Network access control method, device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113206845A CN113206845A (en) | 2021-08-03 |
| CN113206845B true CN113206845B (en) | 2023-08-11 |
Family
ID=77027102
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110467501.0A Active CN113206845B (en) | 2021-04-28 | 2021-04-28 | Network access control method, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113206845B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115941316B (en) * | 2022-12-05 | 2023-08-08 | 广州力麒智能科技有限公司 | Intelligent self-service terminal middleware calling method and device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1527209A (en) * | 2003-03-06 | 2004-09-08 | 华为技术有限公司 | Network access control method based onuser's account number |
| CN102118749A (en) * | 2009-12-30 | 2011-07-06 | 比亚迪股份有限公司 | Network access control device for mobile terminal and mobile terminal equipment |
| CN102891826A (en) * | 2011-06-27 | 2013-01-23 | 成都市华为赛门铁克科技有限公司 | Control method, equipment and system for webpage access |
| CN106572116A (en) * | 2016-11-10 | 2017-04-19 | 长春理工大学 | Role-and-attribute-based cross-domain secure switch access control method of integrated network |
| CN107426168A (en) * | 2017-05-23 | 2017-12-01 | 国网山东省电力公司电力科学研究院 | A kind of Secure Network Assecc processing method and processing device |
| CN107888614A (en) * | 2017-12-01 | 2018-04-06 | 大猫网络科技(北京)股份有限公司 | A kind of user right determination methods and device |
| CN109472159A (en) * | 2018-11-15 | 2019-03-15 | 泰康保险集团股份有限公司 | Access control method, device, medium and electronic equipment |
| CN111800440A (en) * | 2020-09-08 | 2020-10-20 | 平安国际智慧城市科技股份有限公司 | Multi-policy access control login method and device, computer equipment and storage medium |
-
2021
- 2021-04-28 CN CN202110467501.0A patent/CN113206845B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1527209A (en) * | 2003-03-06 | 2004-09-08 | 华为技术有限公司 | Network access control method based onuser's account number |
| CN102118749A (en) * | 2009-12-30 | 2011-07-06 | 比亚迪股份有限公司 | Network access control device for mobile terminal and mobile terminal equipment |
| CN102891826A (en) * | 2011-06-27 | 2013-01-23 | 成都市华为赛门铁克科技有限公司 | Control method, equipment and system for webpage access |
| CN106572116A (en) * | 2016-11-10 | 2017-04-19 | 长春理工大学 | Role-and-attribute-based cross-domain secure switch access control method of integrated network |
| CN107426168A (en) * | 2017-05-23 | 2017-12-01 | 国网山东省电力公司电力科学研究院 | A kind of Secure Network Assecc processing method and processing device |
| CN107888614A (en) * | 2017-12-01 | 2018-04-06 | 大猫网络科技(北京)股份有限公司 | A kind of user right determination methods and device |
| CN109472159A (en) * | 2018-11-15 | 2019-03-15 | 泰康保险集团股份有限公司 | Access control method, device, medium and electronic equipment |
| CN111800440A (en) * | 2020-09-08 | 2020-10-20 | 平安国际智慧城市科技股份有限公司 | Multi-policy access control login method and device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113206845A (en) | 2021-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110311929B (en) | Access control method and device, electronic equipment and storage medium | |
| US10015140B2 (en) | Identifying additional firewall rules that may be needed | |
| US20070288613A1 (en) | Providing support for responding to location protocol queries within a network node | |
| US10491561B2 (en) | Equipment for offering domain-name resolution services | |
| RU2560821C2 (en) | Communication system, control device, communication method and programme | |
| CN111641733B (en) | Network bridge equipment management method and device and readable storage medium | |
| CN112953745B (en) | Service calling method, system, computer device and storage medium | |
| US10609081B1 (en) | Applying computer network security policy using domain name to security group tag mapping | |
| CN113206845B (en) | Network access control method, device, computer equipment and storage medium | |
| JP7476366B2 (en) | Relay method, relay system, and relay program | |
| CN112866214A (en) | Firewall strategy issuing method and device, computer equipment and storage medium | |
| CN110086824B (en) | Self-adaptive configuration method, device and equipment for firewall policy of virtual machine | |
| CN109831521B (en) | Cache instance management method and device, computer equipment and storage medium | |
| CN113282400B (en) | Application publishing method, device, equipment and storage medium based on interface routing | |
| CN113194099B (en) | Data proxy method and proxy server | |
| US10541872B2 (en) | Network policy distribution | |
| CN110569987B (en) | Automatic operation and maintenance method, operation and maintenance equipment, storage medium and device | |
| JP5110082B2 (en) | Communication control system, communication control method, and communication terminal | |
| US11533229B2 (en) | Method and system for signaling communication configuration for Iot devices using manufacturer usage description files | |
| US10785165B2 (en) | Method for controlling service data flow and network device | |
| CN112733133B (en) | Access control method, device and storage medium for embedded universal integrated circuit card | |
| CN110661765B (en) | Authorized network updating method and device, computer equipment and storage medium | |
| CN110505189B (en) | Identification method, identification device and storage medium for terminal security agent breakthrough | |
| US20200120069A1 (en) | Firewall policy enforcement based on high level identification strings | |
| CN115001826B (en) | Network access control method, device, network equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230209 Address after: 11 / F, Liuwu building, Liuwu New District, Lhasa City, Tibet Autonomous Region, 850000 Applicant after: Tibet ningsuan Technology Group Co.,Ltd. Address before: 210038 building A1, Huizhi Science Park, 8 Hengtai Road, Qixia District, Nanjing City, Jiangsu Province Applicant before: DILU TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |