CN113973303B - Method for realizing mobile terminal equipment access control gateway based on data packet analysis - Google Patents
Method for realizing mobile terminal equipment access control gateway based on data packet analysis Download PDFInfo
- Publication number
- CN113973303B CN113973303B CN202111288984.4A CN202111288984A CN113973303B CN 113973303 B CN113973303 B CN 113973303B CN 202111288984 A CN202111288984 A CN 202111288984A CN 113973303 B CN113973303 B CN 113973303B
- Authority
- CN
- China
- Prior art keywords
- terminal
- source address
- mobile terminal
- control
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000008569 process Effects 0.000 claims abstract description 7
- 238000012545 processing Methods 0.000 claims description 9
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000026676 system process Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/16—Discovering, processing access restriction or access information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for realizing access control gateway of mobile terminal equipment based on data packet analysis, which comprises the following steps: configuring interception rules for intercepting data packets by a control gateway; when the mobile terminal equipment and the terminal management and control system establish a mutual trust relationship, the control gateway actively intercepts a data packet conforming to the interception rule, carries out protocol analysis on the data packet to acquire a terminal source address, adds the terminal source address into a dynamic policy control list, and sets timeout time; the control gateway actively intercepts heartbeat packets sent to the terminal management and control system by the mobile terminal equipment at regular time, and analyzes and processes the heartbeat packets; and if the control gateway does not intercept the heartbeat packet sent by the mobile terminal equipment within the timeout time, the corresponding terminal source address is removed from the dynamic policy control list. The invention effectively solves the problem that the control gateway cannot accurately control the access of the mobile terminal equipment in certain actual scenes.
Description
Technical Field
The invention relates to the technical field of network communication information security, in particular to a method for realizing access control gateway of mobile terminal equipment based on data packet analysis.
Background
With the vigorous development of computer networks and the rapid rise of IOT fields in recent years, various mobile terminal devices are becoming more and more popular, and the development of network technology brings great convenience to people and meanwhile, the network security problem is also becoming more and more serious. How to accurately control access to various mobile terminal devices becomes a technical problem to be solved in the current technology.
At present, the general implementation manner of the mobile terminal equipment access control gateway is as follows: when the mobile terminal equipment logs in, firstly establishing a mutual trust relationship with a terminal management and control system; then, the terminal management and control system synchronizes terminal information to the control gateway, wherein the terminal information comprises a terminal IP address; the control gateway executes a forwarding or discarding policy for the data packet based on the terminal IP address. More specifically, referring to fig. 1, a general implementation manner of an access control gateway of an industry mobile terminal device is shown, which passively acquires a terminal IP address from a terminal management and control system through interaction with the terminal management and control system, so as to achieve the purpose of controlling the access of the mobile terminal device. The basic flow is as follows:
1. the control gateway only allows the traffic of all terminal addresses to access the terminal management and control system by default, and only the terminal IP addresses added into the strategy control list can access the appointed service;
2. the mobile terminal equipment adds the terminal IP address into a login protocol and then carries out login service with a terminal management and control system;
3. the terminal management and control system acquires logged-in terminal information (comprising a terminal IP address) from a login protocol and sends the terminal information to a control gateway;
4. after receiving the terminal information sent by the terminal management and control system, the control gateway adds the terminal IP address into the strategy control list;
5. the logged-in mobile terminal device can access the appointed service through the control gateway;
6. when the mobile terminal equipment sends out a log-out service to the terminal management and control system, the terminal management and control system informs the control gateway of the terminal information, and the control gateway removes the logged-out terminal IP address from the strategy control list;
7. the logged-out mobile terminal device will not be able to access the specified service.
However, in some practical application scenarios, as shown in fig. 2, when the mobile terminal device cannot provide the correct IP address through the login protocol, that is, the terminal management and control system processes the login service of the mobile terminal device, the terminal IP address acquired by the terminal management and control system is distorted. Therefore, the terminal IP address obtained by the access control gateway of the mobile terminal device is also distorted, and the access control gateway of the mobile terminal device cannot perform effective access control on the terminal due to the fact that the distorted terminal IP address is different from the source address of the data packet when the mobile terminal device performs service.
For this purpose, the applicant has found, through a beneficial search and study, a solution to the above-mentioned problems, against which the technical solutions to be described below are developed.
Disclosure of Invention
One of the technical problems to be solved by the invention is as follows: aiming at the defects of the prior art, the method for realizing the access control gateway of the mobile terminal equipment based on the data packet analysis is provided, so that the problem that the mobile terminal equipment cannot provide a real IP address for a terminal management and control system is solved.
The technical problems to be solved by the invention can be realized by adopting the following technical scheme:
a realization method of a mobile terminal equipment access control gateway based on data packet analysis comprises the following steps:
step S10, configuring interception rules for intercepting data packets by a control gateway;
step S20, when the mobile terminal equipment and the terminal management and control system establish a mutual trust relationship, the control gateway actively intercepts a data packet conforming to an interception rule, carries out protocol analysis on the intercepted data packet to acquire a terminal source address of the data packet, adds the acquired terminal source address into a dynamic strategy control list, and sets an overtime time for the acquired terminal source address;
step S30, the control gateway actively intercepts heartbeat packets sent to the terminal management and control system by the mobile terminal equipment at regular time, and analyzes and processes the intercepted heartbeat packets to determine whether the timeout time of the source address of the terminal needs to be reset or not;
and step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal equipment to the terminal management and control system within the timeout time, the corresponding terminal source address is removed from the dynamic strategy control list.
In a preferred embodiment of the present invention, in step S10, the interception rule is configured as follows:
A. the network access control mode of the control gateway comprises the use of an Iptables strategy and the use of a dpdk mode;
B. configuring an access control rule of 'source address is all terminal addresses, and target address is data packet of address of terminal management and control system allowing forwarding' at a control gateway;
C. configuring a source address as an address in a strategy control list maintained by a control gateway, and a target address as an access control rule of a data packet allowed to be forwarded of a designated service address;
D. configuring an access control rule of 'source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of a terminal login service port processed by the terminal management and control system for interception processing';
E. configuring an access control rule of 'source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of a terminal heartbeat service port processed by the terminal management and control system for interception processing';
F. the configuration "policy control list stores the timeout time of the element, i.e. the terminal source address".
In a preferred embodiment of the present invention, in step S20, the control gateway actively intercepts a data packet according with an interception rule, performs a protocol analysis on the intercepted data packet to obtain a terminal source address of the data packet, adds the obtained terminal source address to a dynamic policy control list, and sets a timeout period for the obtained terminal source address, including the following steps:
step S21, when the mobile terminal device establishes a mutual trust relationship with the terminal management and control system, namely, carries out login service, the source address of the mobile terminal device must remain unchanged when carrying out service, and NAT conversion cannot be carried out;
step S22, the control gateway actively intercepts the data packet when the mobile terminal device logs in according to the interception rule configured in the step S10, and carries out protocol analysis on the data packet to acquire the source address of the mobile terminal device;
step S23, adding the acquired terminal source address into a dynamic strategy control list maintained by a control gateway, and automatically setting timeout time for the acquired terminal source address according to the interception rule configured in step S10;
step S24, the mobile terminal device may access the service specified by the interception rule configured in step S10 within the timeout period.
In a preferred embodiment of the present invention, in step S30, the control gateway actively intercepts a heartbeat packet sent by a mobile terminal device to a terminal management and control system at regular time, and analyzes and processes the intercepted heartbeat packet to determine whether a timeout period of the source address of the terminal needs to be reset, including the following steps:
step S31, the mobile terminal equipment sends a heartbeat packet to the terminal management and control system at regular time after initiating login service so as to keep an online state;
step S32, the control gateway actively intercepts a heartbeat packet sent by the mobile terminal device to the terminal management and control system according to the interception rule configured in the step S10, and carries out protocol analysis on the intercepted data packet so as to acquire a terminal source address of the data packet;
step S33, checking whether the source address of the terminal exists in a dynamic strategy control list maintained by the control gateway, and resetting the timeout time of the source address of the terminal if the source address exists; if not, the mobile terminal equipment corresponding to the terminal source address is not logged in service, and the data packet of the terminal source address is discarded by default.
In a preferred embodiment of the present invention, in step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal device to the terminal management and control system within the timeout period, the control gateway eliminates the corresponding terminal source address from the dynamic policy control list, including the following steps:
step S41, the control gateway dynamically updates the terminal source address of the strategy control list, and if the heartbeat packet sent by the mobile terminal equipment to the terminal management and control system is not intercepted within the timeout time, the terminal source address is actively cleared;
step S42, the mobile terminal equipment corresponding to the terminal source address cleared from the policy control list is not allowed to access the service specified by the interception rule configured in step S10; if so, the mobile terminal device needs to establish a mutually trusted relationship with the terminal management and control system again, i.e. step S20 is repeated.
Due to the adoption of the technical scheme, the invention has the beneficial effects that: the invention actively acquires the source address of the terminal based on the data packet analysis mode, cooperates with the overtime keep-alive mechanism, realizes the access control of the mobile equipment terminal by maintaining a dynamic strategy control list, and effectively solves the problem that the control gateway cannot accurately control the access of the mobile equipment because the terminal cannot provide the correct IP address for the terminal management and control system through a login protocol in some actual scenes.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a general implementation method of an access control gateway of a conventional mobile terminal device.
Fig. 2 is a flow chart of a general implementation method of an access control gateway of a conventional mobile terminal device in some special scenarios.
Fig. 3 is a flow chart of the present invention.
Fig. 4 is a flow chart of an embodiment of the present invention.
Fig. 5 is a schematic diagram of a dynamic policy control list of the present invention.
Detailed Description
The invention is further described with reference to the following detailed drawings in order to make the technical means, the creation characteristics, the achievement of the purpose and the effect of the implementation of the invention easy to understand.
Referring to fig. 3, a method for implementing an access control gateway of a mobile terminal device based on data packet analysis is provided, which includes the following steps:
step S10, configuring interception rules for controlling the gateway to intercept the data packet.
Step S20, when the mobile terminal equipment and the terminal management and control system establish a mutual trust relationship, the control gateway actively intercepts a data packet conforming to the interception rule, carries out protocol analysis on the intercepted data packet to acquire a terminal source address of the data packet, adds the acquired terminal source address into a dynamic strategy control list, and sets timeout time for the acquired terminal source address.
Step S30, the control gateway actively intercepts the heartbeat packet sent by the mobile terminal equipment to the terminal management and control system at regular time, and analyzes and processes the intercepted heartbeat packet to determine whether the timeout time of the source address of the terminal needs to be reset.
And step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal equipment to the terminal management and control system within the timeout time, the corresponding terminal source address is removed from the dynamic strategy control list.
In a preferred embodiment of the present invention, in step S10, the interception rule is configured as follows:
A. the network access control mode of the control gateway comprises the use of an Iptables strategy and the use of a dpdk mode;
B. configuring an access control rule of 'source address is all terminal addresses, and target address is data packet of address of terminal management and control system allowing forwarding' at a control gateway;
C. configuring a source address as an address in a strategy control list maintained by a control gateway, and a target address as an access control rule of a data packet allowed to be forwarded of a designated service address;
D. configuring an access control rule of 'source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of a terminal login service port processed by the terminal management and control system for interception processing';
E. configuring an access control rule of 'source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of a terminal heartbeat service port processed by the terminal management and control system for interception processing';
F. the configuration "policy control list stores the timeout time of the element, i.e. the terminal source address".
In step S20, the control gateway actively intercepts a data packet according with an interception rule, performs protocol analysis on the intercepted data packet to obtain a terminal source address of the data packet, adds the obtained terminal source address to a dynamic policy control list, and sets a timeout time for the obtained terminal source address, including the following steps:
step S21, when the mobile terminal device establishes a mutual trust relationship with the terminal management and control system, namely, carries out login service, the source address of the mobile terminal device must remain unchanged when carrying out service, and NAT conversion cannot be carried out;
step S22, the control gateway actively intercepts the data packet when the mobile terminal device logs in according to the interception rule configured in the step S10, and carries out protocol analysis on the data packet to acquire the source address of the mobile terminal device;
step S23, adding the acquired terminal source address into a dynamic strategy control list maintained by a control gateway, and automatically setting timeout time for the acquired terminal source address according to the interception rule configured in step S10;
step S24, the mobile terminal device may access the service specified by the interception rule configured in step S10 within the timeout period.
In step S30, the control gateway actively intercepts a heartbeat packet sent by the mobile terminal device to the terminal management and control system at regular time, and analyzes and processes the intercepted heartbeat packet to determine whether to reset the timeout time of the source address of the terminal, including the following steps:
step S31, the mobile terminal equipment sends a heartbeat packet to the terminal management and control system at regular time after initiating login service so as to keep an online state;
step S32, the control gateway actively intercepts a heartbeat packet sent by the mobile terminal device to the terminal management and control system according to the interception rule configured in the step S10, and carries out protocol analysis on the intercepted data packet so as to acquire a terminal source address of the data packet;
step S33, checking whether the source address of the terminal exists in a dynamic strategy control list maintained by the control gateway, and resetting the timeout time of the source address of the terminal if the source address exists; if not, the mobile terminal equipment corresponding to the terminal source address is not logged in service, and the data packet of the terminal source address is discarded by default.
In step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal device to the terminal management and control system within the timeout period, the control gateway rejects the corresponding terminal source address from the dynamic policy control list, including the following steps:
step S41, the control gateway dynamically updates the terminal source address of the strategy control list, and if the heartbeat packet sent by the mobile terminal equipment to the terminal management and control system is not intercepted within the timeout time, the terminal source address is actively cleared;
step S42, the mobile terminal equipment corresponding to the terminal source address cleared from the policy control list is not allowed to access the service specified by the interception rule configured in step S10; if so, the mobile terminal device needs to establish a mutually trusted relationship with the terminal management and control system again, i.e. step S20 is repeated.
The following is a specific embodiment of the implementation method of the mobile terminal device access control gateway based on data packet analysis of the present invention:
the mobile terminal equipment access control gateway based on data packet analysis achieves the purpose of terminal access control by actively acquiring the terminal IP address and matching with the overtime keep-alive mechanism and maintaining a dynamic strategy control list in the gateway, and effectively solves the problem that the mobile terminal equipment cannot provide real IP for a terminal management and control system. As shown in fig. 4, the specific flow is as follows:
(1) The administrator configures specific interception rules at the control gateway. Assume that the IP address of the specified service is "192.168.60.10"; the IP address of the terminal management and control system is 192.168.10.20, the port of the terminal management and control system for processing login service is 8080, and the port for processing keep-alive service is 18080; the IP address of terminal 1 is "192.168.60.51"; the IP address of the terminal 2 is "192.168.60.52".
a. The network access control method of the control gateway includes, but is not limited to, using an Iptables policy, and may also use a method such as dpdk.
b. The rule of "source address is all terminal addresses, and destination address is packet permission forwarding of IP address (i.e. 192.168.10.20) of terminal management and control system" is configured.
c. The source address is configured as an address in a policy control list maintained by the mobile device access control gateway, and the destination address is a rule that packets of an IP address (i.e., 192.168.60.10) of a specified service are allowed to be forwarded.
d. The method comprises the steps of configuring a rule that a source address is all terminal addresses, a target address is an address of a terminal management and control system (192.168.10.20), and a target port is a data packet which is processed by the terminal management and control system and is logged in a service port (8080) by the terminal management and control system and is required to be intercepted by a packet intercepting program.
e. The source address is configured as all terminal addresses, the target address is the address of the terminal management and control system (192.168.10.20), and the target port is a rule that the terminal management and control system processes the data packet of the terminal heartbeat service port (18080) and needs to be intercepted by a packet intercepting program.
f. The configuration "timeout time of the element (i.e., terminal address) stored in policy control list is 10 seconds".
(2) The terminal 1 performs login service with the terminal management and control system, and the IP address must remain unchanged when the terminal performs service, so that NAT conversion cannot be performed. The mobile device access control gateway intercepts the data packet according to the rule d configured in the step 1, performs protocol analysis on the data packet through a packet interception program to obtain a source address (i.e. an IP address of the terminal 1), adds the IP address (i.e. 192.168.60.51) of the terminal 1 into a dynamic policy control list maintained by the gateway as shown in fig. 5, sets the timeout time to 10 seconds according to the rule f configured in the step 1, and forwards the login data packet to the terminal management and control system according to the rule b configured in the step 1 after the processing is completed.
(3) The mobile equipment access control gateway can access the service with the IP address of 192.168.60.10 after the terminal 1 logs in according to the rule c configured in the step (1); while the terminal 2 cannot access the service with the IP address 192.168.60.10 without performing the login service.
(4) The terminal 1 must send heartbeat packets to the terminal management system within a timeout period (10 seconds). According to rule e configured in step (1), the mobile device access control gateway intercepts a heartbeat data packet sent to a terminal management and control system by a terminal, and checks whether the terminal IP address exists in a dynamic policy control list maintained by the gateway after acquiring the terminal IP address through a packet interception program: if yes, resetting the overtime time of the IP address of the terminal; if the IP address does not exist, the terminal of the IP address does not carry out login service, and the data packet with the source address being the IP of the terminal is discarded by default.
(5) The mobile equipment access control gateway dynamically updates the terminal IP address of the strategy control list, and if the heartbeat packet sent by the terminal is not intercepted within the timeout time, the IP address of the corresponding terminal is actively cleared. When the terminal 1 does not send the heartbeat packet to the terminal management and control system within the timeout period (10 seconds), the gateway can clear the IP address of the terminal 1 in the dynamic policy control list, the terminal 1 cannot access the service with the IP address of 192.168.60.10, and if the terminal 1 needs to be accessed, the mutual trust relationship with the terminal management and control system needs to be established again, namely, the step (2) is repeated.
The invention actively acquires the IP address of the terminal based on the data packet analysis mode, cooperates with the overtime keep-alive mechanism, realizes the access control of the mobile equipment terminal by maintaining a dynamic strategy control list, and effectively solves the problem that the mobile equipment access control gateway cannot accurately control the access of the terminal because the terminal cannot provide the correct IP address for the terminal management and control system through a login protocol in certain actual scenes.
The foregoing has shown and described the basic principles and main features of the present invention and the advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (5)
1. The method for realizing the access control gateway of the mobile terminal equipment based on the data packet analysis is characterized by comprising the following steps:
step S10, configuring interception rules for intercepting data packets by a control gateway;
step S20, when the mobile terminal equipment and the terminal management and control system establish a mutual trust relationship, the control gateway actively intercepts a data packet conforming to an interception rule, carries out protocol analysis on the intercepted data packet to acquire a terminal source address of the data packet, adds the acquired terminal source address into a dynamic strategy control list, and sets an overtime time for the acquired terminal source address;
step S30, the control gateway actively intercepts heartbeat packets sent to the terminal management and control system by the mobile terminal equipment at regular time, and analyzes and processes the intercepted heartbeat packets to determine whether the timeout time of the source address of the terminal needs to be reset or not;
and step S40, if the control gateway does not intercept the heartbeat packet sent by the mobile terminal equipment to the terminal management and control system within the timeout time, the corresponding terminal source address is removed from the dynamic strategy control list.
2. The method for implementing an access control gateway of a mobile terminal device based on data packet analysis as claimed in claim 1, wherein in step S10, the interception rule is configured as follows:
A. the network access control mode of the control gateway comprises the use of an Iptables strategy and the use of a dpdk mode;
B. configuring an access control rule of 'source address is all terminal addresses, and target address is data packet of address of terminal management and control system allowing forwarding' at a control gateway;
C. configuring a source address as an address in a strategy control list maintained by a control gateway, and a target address as an access control rule of a data packet allowed to be forwarded of a designated service address;
D. configuring an access control rule of 'source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of a terminal login service port processed by the terminal management and control system for interception processing';
E. configuring an access control rule of 'source addresses are all terminal addresses, target addresses are addresses of a terminal management and control system, and target ports are data packets of a terminal heartbeat service port processed by the terminal management and control system for interception processing';
F. the configuration "policy control list stores the timeout time of the element, i.e. the terminal source address".
3. The method for implementing the access control gateway of the mobile terminal device based on data packet analysis according to claim 1, wherein in step S20, the control gateway actively intercepts a data packet conforming to an interception rule, performs protocol analysis on the intercepted data packet to obtain a terminal source address of the data packet, adds the obtained terminal source address to a dynamic policy control list, and sets a timeout time for the obtained terminal source address, comprising the following steps:
step S21, when the mobile terminal device establishes a mutual trust relationship with the terminal management and control system, namely, carries out login service, the source address of the mobile terminal device must remain unchanged when carrying out service, and NAT conversion cannot be carried out;
step S22, the control gateway actively intercepts the data packet when the mobile terminal device logs in according to the interception rule configured in the step S10, and carries out protocol analysis on the data packet to acquire the source address of the mobile terminal device;
step S23, adding the acquired terminal source address into a dynamic strategy control list maintained by a control gateway, and automatically setting timeout time for the acquired terminal source address according to the interception rule configured in step S10;
step S24, the mobile terminal device accesses the service specified by the interception rule configured in step S10 within the timeout period.
4. The method for implementing the access control gateway of the mobile terminal device based on data packet analysis according to claim 1, wherein in step S30, the control gateway actively intercepts heartbeat packets sent by the mobile terminal device to the terminal management and control system at regular time, and analyzes and processes the intercepted heartbeat packets to determine whether a timeout period for resetting the source address of the terminal is required, comprising the following steps:
step S31, the mobile terminal equipment sends a heartbeat packet to the terminal management and control system at regular time after initiating login service so as to keep an online state;
step S32, the control gateway actively intercepts a heartbeat packet sent by the mobile terminal device to the terminal management and control system according to the interception rule configured in the step S10, and carries out protocol analysis on the intercepted data packet so as to acquire a terminal source address of the data packet;
step S33, checking whether the source address of the terminal exists in a dynamic strategy control list maintained by the control gateway, and resetting the timeout time of the source address of the terminal if the source address exists; if not, the mobile terminal equipment corresponding to the terminal source address is not logged in service, and the data packet of the terminal source address is discarded by default.
5. The method for implementing the access control gateway of the mobile terminal device based on the data packet analysis according to claim 1, wherein in step S40, the control gateway does not intercept the heartbeat packet sent by the mobile terminal device to the terminal management and control system within the timeout period, and eliminates the corresponding terminal source address from the dynamic policy control list, and the method comprises the following steps:
step S41, the control gateway dynamically updates the terminal source address of the strategy control list, and if the heartbeat packet sent by the mobile terminal equipment to the terminal management and control system is not intercepted within the timeout time, the terminal source address is actively cleared;
step S42, the mobile terminal equipment corresponding to the terminal source address cleared from the policy control list is not allowed to access the service specified by the interception rule configured in step S10; if so, the mobile terminal device needs to establish a mutually trusted relationship with the terminal management and control system again, i.e. step S20 is repeated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111288984.4A CN113973303B (en) | 2021-11-02 | 2021-11-02 | Method for realizing mobile terminal equipment access control gateway based on data packet analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111288984.4A CN113973303B (en) | 2021-11-02 | 2021-11-02 | Method for realizing mobile terminal equipment access control gateway based on data packet analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113973303A CN113973303A (en) | 2022-01-25 |
| CN113973303B true CN113973303B (en) | 2024-04-02 |
Family
ID=79589361
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111288984.4A Active CN113973303B (en) | 2021-11-02 | 2021-11-02 | Method for realizing mobile terminal equipment access control gateway based on data packet analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113973303B (en) |
Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7194004B1 (en) * | 2002-01-28 | 2007-03-20 | 3Com Corporation | Method for managing network access |
| KR20070081116A (en) * | 2007-02-09 | 2007-08-14 | 주식회사 코어세스 | Apparatus and method for automatically blocking spoofing by address resolution protocol |
| CN101119315A (en) * | 2007-09-17 | 2008-02-06 | 当代天启技术(北京)有限公司 | Data transmission method, system and gateway in control network |
| CN101119206A (en) * | 2007-09-13 | 2008-02-06 | 北京交通大学 | Identification based integrated network terminal united access control method |
| CN101355459A (en) * | 2008-08-29 | 2009-01-28 | 北京理工大学 | Method for monitoring network based on credible protocol |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN102307197A (en) * | 2011-08-29 | 2012-01-04 | 浙江中烟工业有限责任公司 | Trusted enhancement subsystem of multilevel security intercommunication platform |
| CN103916424A (en) * | 2012-12-31 | 2014-07-09 | 中国移动通信集团广东有限公司 | Application program heartbeat packet control method, communication terminal and communication network |
| CN104753926A (en) * | 2015-03-11 | 2015-07-01 | 华中科技大学 | Gateway access control method |
| CN105052106A (en) * | 2013-03-15 | 2015-11-11 | 柏思科技有限公司 | Methods and systems for receiving and transmitting internet protocol (ip) data packets |
| CN105227515A (en) * | 2014-05-28 | 2016-01-06 | 腾讯科技(深圳)有限公司 | Network intrusions blocking-up method, Apparatus and system |
| CN105282157A (en) * | 2015-10-22 | 2016-01-27 | 中国人民解放军装备学院 | Secure communication control method |
| CN108337257A (en) * | 2018-01-31 | 2018-07-27 | 新华三技术有限公司 | A kind of authentication-exempt access method and gateway device |
| CN108881328A (en) * | 2018-09-29 | 2018-11-23 | 北京东土军悦科技有限公司 | Packet filtering method, device, gateway and storage medium |
| CN109088844A (en) * | 2017-06-13 | 2018-12-25 | 腾讯科技(深圳)有限公司 | Information intercepting method, terminal, server and system |
| CN110336836A (en) * | 2019-08-06 | 2019-10-15 | 郑州信大捷安信息技术股份有限公司 | A kind of Web filtering service system and method |
| CN111245858A (en) * | 2020-01-19 | 2020-06-05 | 世纪龙信息网络有限责任公司 | Network flow interception method, system, device, computer equipment and storage medium |
| CN113010911A (en) * | 2021-02-07 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data access control method and device and computer readable storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7707401B2 (en) * | 2002-06-10 | 2010-04-27 | Quest Software, Inc. | Systems and methods for a protocol gateway |
| US20130316675A1 (en) * | 2012-05-24 | 2013-11-28 | Seven Networks, Inc. | Facilitation of mobile operator billing based on wireless network traffic management and tracking of destination address in conjunction with billing policies |
-
2021
- 2021-11-02 CN CN202111288984.4A patent/CN113973303B/en active Active
Patent Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7194004B1 (en) * | 2002-01-28 | 2007-03-20 | 3Com Corporation | Method for managing network access |
| KR20070081116A (en) * | 2007-02-09 | 2007-08-14 | 주식회사 코어세스 | Apparatus and method for automatically blocking spoofing by address resolution protocol |
| CN101119206A (en) * | 2007-09-13 | 2008-02-06 | 北京交通大学 | Identification based integrated network terminal united access control method |
| CN101119315A (en) * | 2007-09-17 | 2008-02-06 | 当代天启技术(北京)有限公司 | Data transmission method, system and gateway in control network |
| CN101355459A (en) * | 2008-08-29 | 2009-01-28 | 北京理工大学 | Method for monitoring network based on credible protocol |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN102307197A (en) * | 2011-08-29 | 2012-01-04 | 浙江中烟工业有限责任公司 | Trusted enhancement subsystem of multilevel security intercommunication platform |
| CN103916424A (en) * | 2012-12-31 | 2014-07-09 | 中国移动通信集团广东有限公司 | Application program heartbeat packet control method, communication terminal and communication network |
| CN105052106A (en) * | 2013-03-15 | 2015-11-11 | 柏思科技有限公司 | Methods and systems for receiving and transmitting internet protocol (ip) data packets |
| CN105227515A (en) * | 2014-05-28 | 2016-01-06 | 腾讯科技(深圳)有限公司 | Network intrusions blocking-up method, Apparatus and system |
| CN104753926A (en) * | 2015-03-11 | 2015-07-01 | 华中科技大学 | Gateway access control method |
| CN105282157A (en) * | 2015-10-22 | 2016-01-27 | 中国人民解放军装备学院 | Secure communication control method |
| CN109088844A (en) * | 2017-06-13 | 2018-12-25 | 腾讯科技(深圳)有限公司 | Information intercepting method, terminal, server and system |
| CN108337257A (en) * | 2018-01-31 | 2018-07-27 | 新华三技术有限公司 | A kind of authentication-exempt access method and gateway device |
| CN108881328A (en) * | 2018-09-29 | 2018-11-23 | 北京东土军悦科技有限公司 | Packet filtering method, device, gateway and storage medium |
| CN110336836A (en) * | 2019-08-06 | 2019-10-15 | 郑州信大捷安信息技术股份有限公司 | A kind of Web filtering service system and method |
| CN111245858A (en) * | 2020-01-19 | 2020-06-05 | 世纪龙信息网络有限责任公司 | Network flow interception method, system, device, computer equipment and storage medium |
| CN113010911A (en) * | 2021-02-07 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data access control method and device and computer readable storage medium |
Non-Patent Citations (3)
| Title |
|---|
| 一种IP控制网关的设计与实现;姜熙炯, 封红旗;江苏工业学院学报(第03期);全文 * |
| 一种跨网关传输媒体流方案的研究与实现;余胜生, 周江, 周敬利;计算机应用研究(第05期);全文 * |
| 园区网终端安全管控系统的构建;马亮;;计算机与网络(第22期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113973303A (en) | 2022-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9467327B2 (en) | Server-mediated setup and maintenance of peer-to-peer client computer communications | |
| EP3367627B1 (en) | Performing a specific action on a network packet identified as a message queuing telemetry transport (mqtt) packet | |
| CN110199509B (en) | Unauthorized access point detection using multi-path authentication | |
| US10313397B2 (en) | Methods and devices for access control of data flows in software defined networking system | |
| US9515995B2 (en) | Method and apparatus for network address translation and firewall traversal | |
| EP2790387B1 (en) | Method and system for providing connectivity for an ssl/tls server behind a restrictive firewall or nat | |
| CN109314701B (en) | Network path probing using available network connections | |
| US10547647B2 (en) | Intra-carrier and inter-carrier network security system | |
| US11936629B2 (en) | System and method for creating a secure hybrid overlay network | |
| US12101318B2 (en) | Adaptive multipath tunneling in cloud-based systems | |
| US11855958B2 (en) | Selection of an egress IP address for egress traffic of a distributed cloud computing network | |
| CN113973303B (en) | Method for realizing mobile terminal equipment access control gateway based on data packet analysis | |
| US11799914B2 (en) | Cellular internet of things battery drain prevention in mobile networks | |
| US10630717B2 (en) | Mitigation of WebRTC attacks using a network edge system | |
| US11496888B2 (en) | Techniques to provide seamless mobility for multiple accesses of an enterprise fabric | |
| US20240171654A1 (en) | Method of operating a telecommunications network | |
| US11974134B2 (en) | Methods, systems, and computer readable media for validating subscriber entities against spoofing attacks in a communications network | |
| US20240334184A1 (en) | Distributed Network Edge Security Architecture | |
| Liu et al. | Avoiding VPN bottlenecks: Exploring network-level client identity validation options | |
| Liu et al. | Beyond the VPN: practical client identity in an internet with widespread IP address sharing | |
| US20230319684A1 (en) | Resource filter for integrated networks | |
| Fan et al. | Design and implementation of NAT traversal based on SCDMA access gateway | |
| Liu | Residential Network Security: Using Software-defined Networking to Inspect and Label Traffic | |
| CN113225224A (en) | Network speed measuring method, system, storage medium and computer equipment | |
| CN108471431A (en) | A kind of home network traffic method for interception and home network traffic management equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Implementation method of mobile terminal device access control gateway based on packet analysis Granted publication date: 20240402 Pledgee: Chongming Sub branch of Shanghai Rural Commercial Bank Co.,Ltd. Pledgor: SHANGHAI KOAL SAFETY TECHNOLOGY CO.,LTD. Registration number: Y2024310000835 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |