CN113965343A - Terminal equipment isolation method and device based on local area network - Google Patents
Terminal equipment isolation method and device based on local area network Download PDFInfo
- Publication number
- CN113965343A CN113965343A CN202111036717.8A CN202111036717A CN113965343A CN 113965343 A CN113965343 A CN 113965343A CN 202111036717 A CN202111036717 A CN 202111036717A CN 113965343 A CN113965343 A CN 113965343A
- Authority
- CN
- China
- Prior art keywords
- security group
- message
- forwarded
- field
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
Abstract
The invention discloses a terminal device isolation method based on a local area network, which is applied to a gateway device of the local area network with a security group configuration function and comprises the following steps: judging whether the message to be forwarded contains a security group identifier which accords with a preset rule; when the message to be forwarded contains a security group identifier which accords with a preset rule, acquiring a first security group number ID in the security group identifier of the message to be forwarded and security group conditions which are configured by the gateway equipment and correspond to the first security group ID; judging whether the destination IP of the message to be forwarded meets the security group condition corresponding to the first security group ID; if yes, forwarding the message to be forwarded; and if not, discarding the message to be forwarded. The embodiment of the invention can solve the problems of complex terminal isolation implementation, difficult maintenance and low safety in the prior art.
Description
Technical Field
The present invention relates to the field of data communication technologies, and in particular, to a method and an apparatus for isolating a terminal device based on a local area network.
Background
A Local Area Network (LAN) is a computer Network that connects computers in a limited Area such as a residence, school, laboratory, university campus, or office building. In contrast, Wide Area Networks (WAN) not only cover large geographical distances, but also typically involve a fixed private line and a connection for the internet. The internet is more expansive and is a system that connects businesses and personal computers worldwide.
Computer viruses (computer viruses), or electronic computer viruses. Is a computer program that is created either artificially or non-artificially, and that can replicate or run on its own without the knowledge or approval of the user; computer viruses often affect the proper functioning of an infected computer or are controlled so that the computer is unaware that the computer is being used to steal data or is being utilized for other purposes than autonomous boot by the user.
System Vulnerabilities (System Vulnerabilities) refer to defects or errors in logic design of application software or operating System software, are utilized by lawless persons, attack or control the whole computer by implanting viruses, trojans and the like in a network, steal important data and information in the computer, and even damage the System.
Antivirus software (Antivirus software) is used to detect and remove computer viruses, computer worms, and trojan horse programs. Antivirus software usually has functions of instant program monitoring and identification, malicious program scanning and clearing, automatic virus database updating and the like, and some antivirus software has functions of damage recovery and the like, and is an important component of a computer defense system (comprising antivirus software, a firewall, a protection and deletion program of a trojan horse program and other malicious software, an intrusion defense system and the like). The core of the antivirus software is a virus scanning engine, such as feature code scanning, which compares the scanned information with a virus database (so-called "virus feature library"), and if the information matches any one of the virus features, the antivirus software judges that the file is infected by the virus. When antivirus software is used for searching and killing viruses, one or more sections of codes in a file are selected as a mode for identifying the viruses, and the codes are called as feature codes of the viruses; extracting feature codes from the virus samples; the extracted codes are special and are unlikely to be matched with the codes of the common normal program; the extracted code has a proper length, on one hand, the uniqueness of the characteristic code is maintained, and on the other hand, the space and time overhead is not too large when viruses are scanned.
Terminal devices in an existing local area network, such as office terminal devices, use antivirus software to detect computer viruses on the terminal devices. The characteristics of the virus file are mainly analyzed, and the matching identification is carried out after the characteristic code is extracted, so that hysteresis exists, and the identification of the new virus is difficult. The virus and the antivirus software are in a continuous confrontation relationship, and the upgrade and the update of the virus can change the feature code of the virus to avoid the detection of the antivirus software. Once the antivirus software does not recognize the virus, the virus scans other terminal devices in the lan and infects other terminal devices with known system vulnerabilities, resulting in poisoning a large number of terminal devices in the lan.
For the above situation, the following method is generally adopted in the local area network to perform security isolation on the terminal device:
1. access Control List (ACL, Access Control List)
The access control list is a list of instructions that are applied at the data communication device interface. These instruction lists are used to tell the data communication device which packets can be received and which packets need to be rejected. As to whether the packet is received or rejected, it can be decided by a specific indication condition like a source address, a destination address, a port number, etc. According to the ACL-based scheme, network isolation can be performed on the local area network office terminal equipment, but the fine security isolation of the terminal equipment level needs to configure a large number of ACL rules, so that configuration and maintenance are difficult.
2. Private VLAN (private VLAN)
The private VLAN avoids the limit that the VLAN is only 4094 through a primary VLAN and a secondary VLAN mechanism. Several different types of secondary VLANs can be divided under one primary VLAN: isolated (VLAN) and public (Community) VLANs. Any port in a quarantine VLAN can reach a primary VLAN but cannot access any other secondary VLAN and end devices in the same quarantine VLAN cannot communicate with each other. Any port in a common VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN.
If office terminal devices of a local area network are placed in an isolated VLAN, any terminal devices are isolated from each other, but a part of terminal devices still have a requirement for mutual communication, and a network manager needs to place the terminal devices in the same common VLAN for communication. After the communication is finished, the isolation VLAN needs to be replaced again to ensure that the terminal devices are isolated from each other continuously. Private VLAN (Private VLAN, PVLAN) is used to perform security isolation between terminal devices, configuration is cumbersome, and daily maintenance workload of network management is large.
Therefore, a terminal isolation method which is safe, reliable and easy to implement is needed at present
Disclosure of Invention
The embodiment of the invention provides a terminal equipment isolation method and device based on a local area network, which are used for solving the problems of complex terminal isolation implementation, difficult maintenance and low safety in the prior art.
In one aspect, according to an embodiment of the present invention, a method for isolating a terminal device based on a local area network is provided, where the method is applied to a gateway device of the local area network having a security group configuration function, and includes:
judging whether the message to be forwarded contains a security group identifier which accords with a preset rule;
when the message to be forwarded contains a security group identifier which accords with a preset rule, acquiring a first security group number ID in the security group identifier of the message to be forwarded and security group conditions which are configured by the gateway equipment and correspond to the first security group ID;
judging whether the destination IP of the message to be forwarded meets the security group condition corresponding to the first security group ID;
if yes, forwarding the message to be forwarded; and if not, discarding the message to be forwarded.
Optionally, the method further comprises:
configuring the security group identification according to the preset security group condition and the corresponding relation of the security group ID; the security group condition comprises one or more of an IP address, a network segment, a MAC address, a VLAN identifier and a port number.
Optionally, the configuring of the security group identifier according to the preset security group condition and the corresponding relationship between the security group IDs includes:
judging whether the received message meets the security group condition;
and when the message meets the security group conditions, configuring a corresponding security group identifier for the message according to a preset rule and the corresponding relation, wherein the security group identifier comprises a security group ID.
Optionally, the configuring a corresponding security group identifier for the packet includes:
filling optional Option fields at the tail end of the IPv4 message header of the message according to preset values;
wherein, the Option field comprises a Code field, a Length field and a Data field; the Code field is used for representing whether the Option field is used for representing security group identification or not, and the Length field is used for representing the Length of the Data field; the Data field is used to represent a security group ID.
Optionally, the Code field comprises a Copy field, a Class field and a Number field; the preset value corresponding to the Copy field is 1, the preset value corresponding to the Class field is 01, and the preset value corresponding to the Number field is 01111.
Optionally, the obtaining the security group condition configured by the gateway device and corresponding to the first security group ID includes:
and acquiring the security group conditions configured by the gateway equipment and corresponding to the first security group ID of the message to be forwarded according to the corresponding relation between the preset security group conditions and the security group ID.
On the other hand, according to an embodiment of the present invention, there is further provided a terminal device isolation apparatus based on a local area network, where the apparatus is applied to a gateway device of the local area network having a security group configuration function, and the apparatus includes: the device comprises a first judgment module, an acquisition module, a second judgment module and a processing module; wherein the content of the first and second substances,
the first judging module is used for judging whether the received message to be forwarded contains a security group identifier which accords with a preset rule;
an obtaining module, configured to obtain, when the to-be-forwarded packet includes a security group identifier that meets a preset rule, a first security group number ID in the security group identifier of the to-be-forwarded packet and a security group condition configured by the gateway device and corresponding to the first security group ID;
a second judging module, configured to judge whether a destination IP of the packet to be forwarded satisfies a security group condition corresponding to the first security group ID;
the processing module is configured to forward the packet to be forwarded if the destination IP of the packet to be forwarded satisfies the security group condition corresponding to the first security group ID, and discard the packet to be forwarded if the destination IP of the packet to be forwarded does not satisfy the security group condition corresponding to the first security group ID.
Further, the apparatus further comprises: the configuration module is used for configuring the safety group identification according to the preset safety group condition and the corresponding relation of the safety group ID; the security group condition comprises one or more of an IP address, a network segment, a MAC address, a VLAN identifier and a port number.
Further, the configuration module configures the security group identifier according to a preset security group condition and a corresponding relationship between the security group IDs, and is specifically configured to:
judging whether the received message meets the security group condition;
and when the message meets the security group conditions, configuring a corresponding security group identifier for the message according to a preset rule and the corresponding relation, wherein the security group identifier comprises a security group ID.
Further, the configuration module configures a corresponding security group identifier for the packet, and is specifically configured to:
filling optional Option fields at the tail end of the IPv4 message header of the message according to preset values;
wherein, the Option field comprises a Code field, a Length field and a Data field; the Code field is used for representing whether the Option field is used for representing security group identification or not, and the Length field is used for representing the Length of the Data field; the Data field is used to represent a security group ID.
The obtaining module is configured to obtain the security group condition configured by the gateway device and corresponding to the first security group ID, and specifically configured to:
and acquiring the security group conditions configured by the gateway equipment and corresponding to the first security group ID of the message to be forwarded according to the corresponding relation between the preset security group conditions and the security group ID.
According to the embodiment of the invention, the electronic equipment comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
a memory for storing a computer program;
a processor for implementing the above method steps when executing the program stored in the memory.
According to an embodiment of the present invention, there is also provided a computer-readable storage medium having stored therein a computer program, which when executed by a processor, performs the above-mentioned method steps.
The invention has the following beneficial effects:
the terminal device isolation method and device based on the local area network provided by the embodiment of the invention judge whether the received message to be forwarded contains the safety group identification which accords with the configuration; when the message to be forwarded contains a configured security group identifier, acquiring a first security group ID in the security group identifier of the message to be forwarded and a security group condition configured by the gateway device and corresponding to the first security group ID; judging whether the destination IP of the message to be forwarded meets the security group condition corresponding to the first security group ID; if yes, forwarding the message to be forwarded; and if not, discarding the message to be forwarded. The embodiment of the invention acquires the message configured with the security group function by judging whether the message to be forwarded contains the pre-configured security group identification, and then forwards or discards the message according to the security group number ID in the security group identification of the message to be forwarded and the corresponding security group condition to realize message isolation based on the security group identification.
Drawings
Fig. 1 is a flowchart of a method for isolating a terminal device based on a local area network according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a terminal device isolation apparatus based on a local area network in an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device shown in the present application.
Detailed Description
In order to solve the problems of complex implementation of terminal isolation, difficult maintenance and low security in the prior art, the terminal isolation method based on the local area network according to the embodiments of the present invention obtains a packet configured with a security group function by determining whether the packet to be forwarded includes a pre-configured security group identifier, and then forwards or discards the packet according to a security group number ID in the security group identifier of the packet to be forwarded and a corresponding security group condition. The flow of the method of the present invention is shown in fig. 1, and can be applied to a gateway device of the local area network having a security group configuration function, and the method performs the following steps:
in the embodiment of the invention, the gateway equipment of the local area network is pre-configured with a security group number ID, a security group condition and a corresponding relation of the security group number ID and the security group condition; the security group condition is one or more of information based on internet protocol IP address, network segment, local area network MAC address, virtual local area network VLAN identification, port number and the like;
when the gateway device starts a security group configuration function, matching the received messages according to the pre-configured security group conditions, and configuring the security group identification of the matched messages according to the preset rules. Here, terminal devices corresponding to security group identifications configured with different security group IDs are isolated from each other.
The message to be forwarded is determined whether the message includes a security group identifier meeting a preset rule, if so, step 102 is executed, otherwise, the message can be processed according to an existing message forwarding policy.
102, when the message to be forwarded includes a security group identifier meeting a preset rule, acquiring a first security group number ID in the security group identifier of the message to be forwarded and a security group condition configured by the gateway device and corresponding to the first security group ID;
here, since the security group ID includes the security group number ID, the security group ID in the message to be forwarded can be obtained through the security group ID, and for convenience of description, the security group ID is recorded as the first security group ID, and the security group condition corresponding to the first security group ID is obtained according to the correspondence between the security group ID and the security group condition.
103, judging whether the destination IP of the message to be forwarded meets the security group condition corresponding to the first security group ID;
specifically, the destination terminal device of the packet to be forwarded may be determined according to the destination IP of the packet to be forwarded, and then it is determined whether the security group condition corresponding to the destination terminal device satisfies the security group condition corresponding to the first security group ID.
104, if yes, forwarding the message to be forwarded; and if not, discarding the message to be forwarded.
Optionally, the method further comprises:
configuring the security group identification according to the preset security group condition and the corresponding relation of the security group ID; the security group condition comprises one or more of an IP address, a network segment, a MAC address, a VLAN identifier and a port number.
Wherein, according to the preset security group condition and the corresponding relationship of the security group ID, the configuration of the security group identification comprises:
judging whether the received message meets the security group condition;
and when the message meets the security group conditions, configuring a corresponding security group identifier for the message according to a preset rule and the corresponding relation, wherein the security group identifier comprises a security group ID.
For example, with the IP address as the security group condition, as shown in table 1, when the gateway device includes two ports, where the IP of port 1 is 192.168.100.1 and the IP of port 2 is 172.16.20.1, the following security group conditions are:
| secure group ID | Safety group conditions |
| 0x0001 | IP:192.168.100.0/24 |
| 0x0002 | IP:172.16.20.0/16 |
TABLE 1
When port 1 receives the message from source IP 192.168.100.5 and destination IP 172.16.20.10, the message is marked with the security group ID of 0x0001 according to the security group condition, which indicates that the message is from security group 0x 0001. When the port is ready to send the packet, the destination IP belongs to the security group 0x0002, and belongs to a different security group from the security group 0x0001 recorded in the packet, the gateway device directly discards the packet.
Optionally, the configuring a corresponding security group identifier for the packet includes:
filling optional Option fields at the tail end of the IPv4 message header of the message according to preset values;
in general, the Option field of 0-40bytes is reserved at the tail end of the IPv4 message header and is used for network forwarding control and debugging test purposes.
Wherein, the Option field comprises a Code field, a Length field and a Data field; the Code field is used for representing whether the Option field is used for representing security group identification or not, and the Length field is used for representing the Length of the Data field; the Data field is used to represent a security group ID.
Since the security group identification is a private Option definition for local area networks only, the security group identification Option tries to select IPv4 reserved and undefined values. Wherein, the IPv4 specification has been partially defined by "Copy", "Class" and "Number" in the "Code" field:
1)Copy:
0: copy to first slice only
1: copy to all shards
2)Class
00: message control
01: retention
10: debugging and management
11: retention
3)Number
00000: option end
00001: without options
00011: loose source routing
00111: record routing
01001: strict source routing
Optionally, the Code field comprises a Copy field, a Class field and a Number field; the preset value corresponding to the Copy field is 1, the preset value corresponding to the Class field is 01, the Number field is the last 5 bits, the Number bits can be selected from 2^5-5 ^ 27, and any filling mode undefined in the IPv4 protocol can be selected. It should be understood that the preset value corresponding to the Class field may also be 11.
Specifically, to ensure that all illegal packet fragments can be completely discarded according to the security group identification Option, the "Copy" field is defined as "1: copy to all shards ". The "Class" field is defined as "01" and the "Number" field is defined as "01111". Therefore, the "Code" field of the security group identification Option is defined as "10101111".
Referring to the Option field defined by IPv4, the security group identifies how many bytes the Option also uses "Length" after "Code" to indicate the Length of the "Data" field. The default value of the Length is 2, the Length of the Data field is 2bytes, 65536 security groups can be defined, and the security groups are enough for isolated use of the local area network terminal equipment.
Acquiring the security group condition configured by the gateway device and corresponding to the first security group ID includes:
and acquiring the security group conditions configured by the gateway equipment and corresponding to the first security group ID of the message to be forwarded according to the corresponding relation between the preset security group conditions and the security group ID.
Further, when the gateway device starts the security group configuration function, the gateway device may also start an address resolution protocol Proxy (ARP Proxy) function in a linked manner. When the destination IP requiring address resolution does not belong to the same security group as the terminal device (source IP) that initiated the ARP request, the gateway device discards the ARP request and does not respond. Therefore, two layers of different security groups are not visible, and two-layer isolation is realized.
The embodiment of the invention acquires the message configured with the security group function by judging whether the message to be forwarded contains the pre-configured security group identification, and then forwards or discards the message according to the security group number ID in the security group identification of the message to be forwarded and the corresponding security group condition to realize message isolation based on the security group identification.
Based on the same inventive concept, an embodiment of the present invention provides a terminal device isolation apparatus based on a local area network, which may be applied to a gateway device of the local area network having a security group configuration function, and the structure of the apparatus is as shown in fig. 2, and includes: the device comprises a first judgment module 21, an acquisition module 22, a second judgment module 23 and a processing module 24; wherein the content of the first and second substances,
the first judging module 21 is configured to judge whether a received to-be-forwarded message includes a security group identifier that meets a preset rule;
an obtaining module 22, configured to, when the to-be-forwarded packet includes a security group identifier that meets a preset rule, obtain a first security group number ID in the security group identifier of the to-be-forwarded packet and a security group condition configured by the gateway device and corresponding to the first security group ID;
a second determining module 23, configured to determine whether a destination IP of the packet to be forwarded meets a security group condition corresponding to the first security group ID;
the processing module 24 is configured to forward the packet to be forwarded if the destination IP of the packet to be forwarded satisfies the security group condition corresponding to the first security group ID, and discard the packet to be forwarded if the destination IP of the packet to be forwarded does not satisfy the security group condition corresponding to the first security group ID.
Optionally, the apparatus further comprises: the configuration module is used for configuring the safety group identification according to the preset safety group condition and the corresponding relation of the safety group ID; the security group condition comprises one or more of an IP address, a network segment, a MAC address, a VLAN identifier and a port number.
The configuration module performs configuration of the security group identifier according to a preset security group condition and a corresponding relationship between the security group IDs, and is specifically configured to:
judging whether the received message meets the security group condition;
and when the message meets the security group conditions, configuring a corresponding security group identifier for the message according to a preset rule and the corresponding relation, wherein the security group identifier comprises a security group ID.
The configuration module is configured to configure a corresponding security group identifier for the packet, and specifically configured to:
filling optional Option fields at the tail end of the IPv4 message header of the message according to preset values;
wherein, the Option field comprises a Code field, a Length field and a Data field; the Code field is used for representing whether the Option field is used for representing security group identification or not, and the Length field is used for representing the Length of the Data field; the Data field is used to represent a security group ID.
The obtaining module 22 is configured to obtain the security group condition configured by the gateway device and corresponding to the first security group ID, and specifically configured to:
and acquiring the security group conditions configured by the gateway equipment and corresponding to the first security group ID of the message to be forwarded according to the corresponding relation between the preset security group conditions and the security group ID.
It should be understood that the implementation principle and process of the terminal device isolation apparatus based on the local area network according to the embodiment of the present invention are similar to those in fig. 1 and the embodiment shown above, and are not described herein again.
The terminal device isolation method and device based on the local area network provided by the embodiment of the invention judge whether the received message to be forwarded contains the safety group identification which accords with the configuration; when the message to be forwarded contains a configured security group identifier, acquiring a first security group ID in the security group identifier of the message to be forwarded and a security group condition configured by the gateway device and corresponding to the first security group ID; judging whether the destination IP of the message to be forwarded meets the security group condition corresponding to the first security group ID; if yes, forwarding the message to be forwarded; and if not, discarding the message to be forwarded. The embodiment of the invention acquires the message configured with the security group function by judging whether the message to be forwarded contains the pre-configured security group identification, and then forwards or discards the message according to the security group number ID in the security group identification of the message to be forwarded and the corresponding security group condition to realize message isolation based on the security group identification.
An electronic device is further provided in the embodiment of the present application, please refer to fig. 3, which includes a processor 510, a communication interface 520, a memory 530 and a communication bus 540, wherein the processor 510, the communication interface 520 and the memory 530 complete communication with each other through the communication bus 540.
A memory 530 for storing a computer program;
the processor 510 is configured to implement the method for isolating a terminal device based on a local area network according to any of the above embodiments when executing the program stored in the memory 530.
The communication interface 520 is used for communication between the electronic apparatus and other apparatuses.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In the scheme, the message configured with the security group function is obtained by judging whether the message to be forwarded contains the pre-configured security group identification, and then the message is forwarded or discarded according to the security group number ID in the security group identification of the message to be forwarded and the corresponding security group condition, so that the message isolation based on the security group identification is realized.
Accordingly, an embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the computer is caused to execute any of the above-described local area network-based terminal device isolation methods.
In the scheme, the message configured with the security group function is obtained by judging whether the message to be forwarded contains the pre-configured security group identification, and then the message is forwarded or discarded according to the security group number ID in the security group identification of the message to be forwarded and the corresponding security group condition, so that the message isolation based on the security group identification is realized.
Those of ordinary skill in the art will understand that: the figures are merely schematic representations of one embodiment, and the blocks or flow diagrams in the figures are not necessarily required to practice the present invention.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for apparatus or system embodiments, since they are substantially similar to method embodiments, they are described in relative terms, as long as they are described in partial descriptions of method embodiments. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
In addition, in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a specific order, but it should be clearly understood that the operations may be executed out of the order presented herein or in parallel, and the sequence numbers of the operations, such as 201, 202, 203, etc., are merely used for distinguishing different operations, and the sequence numbers themselves do not represent any execution order. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While alternative embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following appended claims be interpreted as including alternative embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the embodiments of the present invention without departing from the spirit or scope of the embodiments of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass such modifications and variations.
Claims (13)
1. A terminal device isolation method based on a local area network is applied to a gateway device of the local area network with a security group configuration function, and comprises the following steps:
judging whether the message to be forwarded contains a security group identifier which accords with a preset rule;
when the message to be forwarded contains a security group identifier which accords with a preset rule, acquiring a first security group number ID in the security group identifier of the message to be forwarded and security group conditions which are configured by the gateway equipment and correspond to the first security group ID;
judging whether the destination IP of the message to be forwarded meets the security group condition corresponding to the first security group ID;
if yes, forwarding the message to be forwarded; and if not, discarding the message to be forwarded.
2. The method of claim 1, further comprising:
configuring a security group identifier for the message according to a preset security group condition and a corresponding relation of the security group ID; the security group condition comprises one or more of an IP address, a network segment, a MAC address, a VLAN identifier and a port number.
3. The method according to claim 2, wherein the configuring of the security group identifier for the packet according to the preset security group condition and the correspondence between the security group IDs comprises:
judging whether the received message meets the security group condition;
and when the message meets the security group conditions, configuring a corresponding security group identifier for the message according to a preset rule and the corresponding relation, wherein the security group identifier comprises a security group ID.
4. The method according to claim 3, wherein the configuring the corresponding security group identifier for the packet comprises:
filling optional Option fields at the tail end of the IPv4 message header of the message according to preset values;
wherein, the Option field comprises a Code field, a Length field and a Data field; the Code field is used for representing whether the Option field is used for representing security group identification or not, and the Length field is used for representing the Length of the Data field; the Data field is used to represent a security group ID.
5. The method of claim 4, wherein the Code field comprises a Copy field, a Class field, and a Number field; the preset value corresponding to the Copy field is 1, the preset value corresponding to the Class field is 01, and the preset value corresponding to the Number field is 01111.
6. The method of any of claims 1 to 5, wherein obtaining the security group condition configured by the gateway device corresponding to the first security group ID comprises:
and acquiring the security group conditions configured by the gateway equipment and corresponding to the first security group ID of the message to be forwarded according to the corresponding relation between the preset security group conditions and the security group ID.
7. A terminal device isolation apparatus based on a local area network, wherein the apparatus is applied to a gateway device of the local area network having a security group configuration function, and comprises: the device comprises a first judgment module, an acquisition module, a second judgment module and a processing module; wherein the content of the first and second substances,
the first judging module is used for judging whether the received message to be forwarded contains a security group identifier which accords with a preset rule;
an obtaining module, configured to obtain, when the to-be-forwarded packet includes a security group identifier that meets a preset rule, a first security group number ID in the security group identifier of the to-be-forwarded packet and a security group condition configured by the gateway device and corresponding to the first security group ID;
a second judging module, configured to judge whether a destination IP of the packet to be forwarded satisfies a security group condition corresponding to the first security group ID;
the processing module is configured to forward the packet to be forwarded if the destination IP of the packet to be forwarded satisfies the security group condition corresponding to the first security group ID, and discard the packet to be forwarded if the destination IP of the packet to be forwarded does not satisfy the security group condition corresponding to the first security group ID.
8. The apparatus of claim 7, further comprising: the configuration module is used for configuring the safety group identification according to the preset safety group condition and the corresponding relation of the safety group ID; the security group condition comprises one or more of an IP address, a network segment, a MAC address, a VLAN identifier and a port number.
9. The apparatus of claim 8, wherein the configuration module configures the security group identifier according to a preset security group condition and a corresponding relationship between security group IDs, and is specifically configured to:
judging whether the received message meets the security group condition;
and when the message meets the security group conditions, configuring a corresponding security group identifier for the message according to a preset rule and the corresponding relation, wherein the security group identifier comprises a security group ID.
10. The apparatus according to claim 9, wherein the configuration module is configured to configure a corresponding security group identifier for the packet, and is specifically configured to:
filling optional Option fields at the tail end of the IPv4 message header of the message according to preset values;
wherein, the Option field comprises a Code field, a Length field and a Data field; the Code field is used for representing whether the Option field is used for representing security group identification or not, and the Length field is used for representing the Length of the Data field; the Data field is used to represent a security group ID.
11. The apparatus according to any one of claims 7 to 10, wherein the obtaining module is configured to obtain the security group condition configured by the gateway device and corresponding to the first security group ID, and is specifically configured to:
and acquiring the security group conditions configured by the gateway equipment and corresponding to the first security group ID of the message to be forwarded according to the corresponding relation between the preset security group conditions and the security group ID.
12. An electronic device, characterized in that the electronic device comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1-6 when executing a program stored on a memory.
13. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111036717.8A CN113965343A (en) | 2021-09-06 | 2021-09-06 | Terminal equipment isolation method and device based on local area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111036717.8A CN113965343A (en) | 2021-09-06 | 2021-09-06 | Terminal equipment isolation method and device based on local area network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113965343A true CN113965343A (en) | 2022-01-21 |
Family
ID=79461019
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111036717.8A Pending CN113965343A (en) | 2021-09-06 | 2021-09-06 | Terminal equipment isolation method and device based on local area network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965343A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104639512A (en) * | 2013-11-14 | 2015-05-20 | 华为技术有限公司 | Network security method and device |
| CN109587065A (en) * | 2017-09-28 | 2019-04-05 | 北京金山云网络技术有限公司 | Method, apparatus, interchanger, equipment and the storage medium to E-Packet |
| CN109995759A (en) * | 2019-03-04 | 2019-07-09 | 平安科技(深圳)有限公司 | A kind of method and relevant apparatus of physical machine access VPC |
| CN111131039A (en) * | 2019-12-16 | 2020-05-08 | 新华三大数据技术有限公司 | Message forwarding control method and device |
| WO2020114336A1 (en) * | 2018-12-04 | 2020-06-11 | 华为技术有限公司 | Information synchronization method, authentication method and device |
| WO2020258991A1 (en) * | 2019-06-28 | 2020-12-30 | 深圳前海微众银行股份有限公司 | Security group policy management method, apparatus and device, and computer readable storage medium |
-
2021
- 2021-09-06 CN CN202111036717.8A patent/CN113965343A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104639512A (en) * | 2013-11-14 | 2015-05-20 | 华为技术有限公司 | Network security method and device |
| CN109587065A (en) * | 2017-09-28 | 2019-04-05 | 北京金山云网络技术有限公司 | Method, apparatus, interchanger, equipment and the storage medium to E-Packet |
| US20200267082A1 (en) * | 2017-09-28 | 2020-08-20 | Beijing Kingsoft Cloud Network Technology Co., Ltd. | Packet Forwarding Method, Device, Switch, Apparatus, and Storage Medium |
| WO2020114336A1 (en) * | 2018-12-04 | 2020-06-11 | 华为技术有限公司 | Information synchronization method, authentication method and device |
| CN109995759A (en) * | 2019-03-04 | 2019-07-09 | 平安科技(深圳)有限公司 | A kind of method and relevant apparatus of physical machine access VPC |
| WO2020258991A1 (en) * | 2019-06-28 | 2020-12-30 | 深圳前海微众银行股份有限公司 | Security group policy management method, apparatus and device, and computer readable storage medium |
| CN111131039A (en) * | 2019-12-16 | 2020-05-08 | 新华三大数据技术有限公司 | Message forwarding control method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10929538B2 (en) | Network security protection method and apparatus | |
| CN109981344B (en) | Scanning method, scanning device and network forwarding equipment | |
| US7853689B2 (en) | Multi-stage deep packet inspection for lightweight devices | |
| CN112702300B (en) | Security vulnerability defense method and device | |
| US10313372B2 (en) | Identifying malware-infected network devices through traffic monitoring | |
| US20150215285A1 (en) | Network traffic processing system | |
| US11290484B2 (en) | Bot characteristic detection method and apparatus | |
| US10257213B2 (en) | Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program | |
| US10999304B2 (en) | Bind shell attack detection | |
| JP2007208861A (en) | Illegal access monitoring apparatus and packet relaying device | |
| JP7150552B2 (en) | Network protection devices and network protection systems | |
| JP6592196B2 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
| US10516665B2 (en) | Network management apparatus, network management method, and recording medium | |
| CN113965343A (en) | Terminal equipment isolation method and device based on local area network | |
| WO2016014178A1 (en) | Identifying malware-infected network devices through traffic monitoring | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN112671783B (en) | Host IP scanning prevention method based on VLAN user group | |
| CN116015876B (en) | Access control method, device, electronic equipment and storage medium | |
| CN117499267B (en) | Asset mapping method and device for network equipment and storage medium | |
| CN115208596B (en) | Network intrusion prevention method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |