CN117061161A - Network access control method and device - Google Patents

Network access control method and device Download PDF

Info

Publication number
CN117061161A
CN117061161A CN202310964810.8A CN202310964810A CN117061161A CN 117061161 A CN117061161 A CN 117061161A CN 202310964810 A CN202310964810 A CN 202310964810A CN 117061161 A CN117061161 A CN 117061161A
Authority
CN
China
Prior art keywords
address
security area
network security
area corresponding
destination
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310964810.8A
Other languages
Chinese (zh)
Inventor
刘国梁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp filed Critical China Construction Bank Corp
Priority to CN202310964810.8A priority Critical patent/CN117061161A/en
Publication of CN117061161A publication Critical patent/CN117061161A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a network access control method and a device, when an access request is received, a source IP address and a destination IP address are acquired from the access request; acquiring a network security area corresponding to a source IP address and a destination IP address from a corresponding relation table; selecting a control mode corresponding to a network security area corresponding to a source IP address from an access control strategy table, and selecting a control mode corresponding to a network security area corresponding to a destination IP address; and determining the network security area corresponding to the source IP address and the access mode of the network security area corresponding to the destination IP address according to the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address. If the control mode is detail controlled, a control point is determined, network configuration is issued on the control point, and then access is performed through the network configuration, so that the network service efficiency is improved, and meanwhile, the safety compliance requirement of detail control on-demand opening is met.

Description

Network access control method and device
Technical Field
The present application relates to the field of the internet, and in particular, to a method and apparatus for controlling network access.
Background
The current commercial bank is in the promotion private cloud to public cloud transformation, and is mainly changed from a firewall centralized access control mode of the traditional private cloud to a public cloud distributed access control mode in a network layer.
When the network is changed, the logic issued by the network configuration is issued in a quintuple (namely a source IP address, a source port, a destination IP address, a destination port and a transport layer protocol) form, the logic issued by the network configuration is changed into a quadruple (namely the source IP address, the destination IP address, the source port and the destination port) form, the issued object is changed into a virtual server from specific hardware equipment, and at present, the step of accessing can be performed by manually modifying the logic issued by the configuration and the issued object in a manual mode.
Disclosure of Invention
The application provides a network access control method and device, and aims to improve network service efficiency.
In order to achieve the above object, the present application provides the following technical solutions:
a network access control method, comprising:
when an access request is received, acquiring a source IP address and a destination IP address from the access request;
acquiring a network security area corresponding to the source IP address and a network security area corresponding to the destination IP address from a corresponding relation table; the corresponding relation table is constructed in advance based on the IP address and the network security area;
selecting a control mode corresponding to the network security area corresponding to the source IP address from an access control policy table, and selecting a control mode corresponding to the network security area corresponding to the destination IP address; the control mode comprises large-section release or detail control; the access control policy table is pre-constructed based on the network security area and the control mode;
determining the network security area corresponding to the source IP address according to the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address, and accessing the access mode of the network security area corresponding to the destination IP address; the access mode comprises direct access and access by utilizing network configuration.
Optionally, the process of pre-constructing the access control policy table based on the network security area and the control mode includes:
dividing the network security area to obtain a security area set; the safety area set at least comprises each safety area;
for each security area, taking the security area as a source IP address and other security areas as destination IP addresses; the other security areas comprise other security areas except the security area corresponding to the source IP address in the security area set;
for each destination IP address, respectively combining the source IP address with the destination IP address to obtain each combined IP address;
sending each combined IP address to a user so that the user inputs a control mode corresponding to each combined IP address;
when receiving the control mode corresponding to each combined IP address input by a user, constructing the access control policy table based on each combined IP address and the control mode corresponding to each combined IP address.
Optionally, the determining, according to the control manner corresponding to the network security area corresponding to the source IP address and the control manner corresponding to the network security area corresponding to the destination IP address, the access manner of accessing the network security area corresponding to the destination IP address includes:
when the control mode corresponding to the network security area corresponding to the source IP address is the detail control, determining a first control point according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address, calling a issuing configuration tool to issue network configuration at the first control point, and marking the issuing configuration tool as the first network configuration;
when the control mode corresponding to the network security area corresponding to the destination IP address is the detail control, determining a second control point according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address;
and calling the issuing configuration tool to issue network configuration at the second control point, identifying the network configuration as the second network configuration, and determining a network security area corresponding to the source IP address, wherein the access mode of accessing the network security area corresponding to the destination IP address is to access by utilizing the first network configuration and the second network configuration.
Optionally, the determining, according to the control manner corresponding to the network security area corresponding to the source IP address and the control manner corresponding to the network security area corresponding to the destination IP address, the access manner of accessing the network security area corresponding to the destination IP address includes:
and when the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address are the large-section release, determining the network security area corresponding to the source IP address, and accessing the network security area corresponding to the destination IP address in a direct access mode.
Optionally, the determining, according to the control manner corresponding to the network security area corresponding to the source IP address and the control manner corresponding to the network security area corresponding to the destination IP address, the access manner of accessing the network security area corresponding to the destination IP address includes:
when the control mode corresponding to the network security area corresponding to the source IP address is the large-section release and the control mode corresponding to the network security area corresponding to the destination IP address is the detail control, determining a control point according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address;
and after the control point issues network configuration, determining a network security area corresponding to the source IP address, and accessing the network security area corresponding to the destination IP address by using the network configuration access mode.
Optionally, the determining, according to the control manner corresponding to the network security area corresponding to the source IP address and the control manner corresponding to the network security area corresponding to the destination IP address, the access manner of accessing the network security area corresponding to the destination IP address includes:
when the control mode corresponding to the network security area corresponding to the source IP address is the detail control and the control mode corresponding to the network security area corresponding to the destination IP address is the large release segment, determining a control point according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address;
and after the control point issues network configuration, determining a network security area corresponding to the source IP address, and accessing the network security area corresponding to the destination IP address by using the network configuration access mode.
A network access control device, comprising:
a first obtaining unit, configured to obtain a source IP address and a destination IP address from an access request when the access request is received;
a second obtaining unit, configured to obtain, from a correspondence table, a network security area corresponding to the source IP address and a network security area corresponding to the destination IP address; the corresponding relation table is constructed in advance based on the IP address and the network security area;
a selecting unit, configured to select, from an access control policy table, a control mode corresponding to the network security area corresponding to the source IP address, and select a control mode corresponding to the network security area corresponding to the destination IP address; the control mode comprises large-section release or detail control; the access control policy table is pre-constructed based on the network security area and the control mode;
the determining unit is used for determining the network security area corresponding to the source IP address and accessing the access mode of the network security area corresponding to the destination IP address according to the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address; the access mode comprises direct access and access by utilizing network configuration.
Optionally, the selecting unit is specifically configured to:
dividing the network security area to obtain a security area set; the safety area set at least comprises each safety area;
for each security area, taking the security area as a source IP address and other security areas as destination IP addresses; the other security areas comprise other security areas except the security area corresponding to the source IP address in the security area set;
for each destination IP address, respectively combining the source IP address with the destination IP address to obtain each combined IP address;
sending each combined IP address to a user so that the user inputs a control mode corresponding to each combined IP address;
when receiving the control mode corresponding to each combined IP address input by a user, constructing the access control policy table based on each combined IP address and the control mode corresponding to each combined IP address.
Optionally, the determining unit is specifically configured to:
when the control mode corresponding to the network security area corresponding to the source IP address is the detail control, determining a first control point according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address, calling a issuing configuration tool to issue network configuration at the first control point, and marking the issuing configuration tool as the first network configuration;
when the control mode corresponding to the network security area corresponding to the destination IP address is the detail control, determining a second control point according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address;
and calling the issuing configuration tool to issue network configuration at the second control point, identifying the network configuration as the second network configuration, and determining a network security area corresponding to the source IP address, wherein the access mode of accessing the network security area corresponding to the destination IP address is to access by utilizing the first network configuration and the second network configuration.
Optionally, the determining unit is specifically configured to:
and when the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address are the large-section release, determining the network security area corresponding to the source IP address, and accessing the network security area corresponding to the destination IP address in a direct access mode.
According to the technical scheme provided by the application, when an access request is received, a source IP address and a destination IP address are acquired from the access request; acquiring a network security area corresponding to a source IP address and a destination IP address from a corresponding relation table; selecting a control mode corresponding to a network security area corresponding to a source IP address from an access control strategy table, and selecting a control mode corresponding to a network security area corresponding to a destination IP address; and determining the network security area corresponding to the source IP address and the access mode of the network security area corresponding to the destination IP address according to the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address. The network configuration is not required to be manually issued, if the control mode is controlled in detail, only the control point corresponding to the control mode and the IP address is required to be determined, the network configuration is issued on the control point, then the network configuration is accessed through the network configuration, and the safety compliance requirement is met while the timeliness of the network service efficiency is improved.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a network access control method according to an embodiment of the present application;
FIG. 2 is a flowchart of a method for constructing an access control policy table according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an access control policy table according to an embodiment of the present application;
FIG. 4 is a flowchart of a method for determining an access manner according to an embodiment of the present application;
FIG. 5 is a flowchart of another method for determining an access manner according to an embodiment of the present application;
FIG. 6 is a flowchart of another method for determining an access manner according to an embodiment of the present application;
fig. 7 is a schematic architecture diagram of a network access control device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
As shown in fig. 1, a flowchart of a network access control method according to an embodiment of the present application includes the following steps:
s101: when an access request is received, a source IP address and a destination IP address are obtained from the access request.
Wherein the access request indicates a request for a certain network security area to access another network security area.
It will be appreciated that since the access request carries the source IP address and the destination IP address, the source IP address and the destination IP address can be obtained from the access request.
S102: and acquiring the network security area corresponding to the source IP address and the network security area corresponding to the destination IP address from the corresponding relation table.
Wherein, the corresponding relation table is constructed in advance based on the IP address and the network security area.
The network security area at least comprises a security area (such as an open area and a disaster recovery area) and a affiliated area (such as Wuhan and Beijing).
It should be noted that, the names of the security area and the home are user-defined names, and can be changed according to the user requirements.
Specifically, assuming that the correspondence table is shown in table 1, the source IP address is 11.xx.32-192, the destination IP address is 11.xx.0-31, the network security area corresponding to the source IP address is an open area and Beijing, and the network security area corresponding to the destination IP address is an open area and wuhan.
TABLE 1
It should be noted that the foregoing description of table 1 is only for illustration.
S103: and selecting a control mode corresponding to the network security area corresponding to the source IP address and a control mode corresponding to the network security area corresponding to the destination IP address from the access control policy table.
The control mode comprises large-section release or detail control; the access control policy table is pre-constructed based on the network security area and the control mode.
The large-scale mode indicates that the access can be directly performed, and the detail control needs to issue network configuration on the control point of the network security area corresponding to the IP address to perform the access.
It can be understood that the two control modes may be the same or different, and the control modes corresponding to the network security areas corresponding to the IP addresses are not necessarily different because the network security areas corresponding to the IP addresses are different.
Optionally, in the process of constructing the access control policy part, the network security area may be divided into a business technology stack (private cloud) and an internet technology stack (public cloud) according to the type of the technology stack, and then a demand matrix is constructed according to the core elements (such as IP addresses) of the access relationship, so as to be compatible with other security requirements and maintainability, for example, anti-virus port control, etc., and the above matrix is refined according to the public cloud access control logic from the service-based aspect to obtain the access control policy table.
Optionally, an embodiment of the present application provides a method for constructing an access control policy table, as shown in fig. 2, including the following steps:
s201: and dividing the network security area to obtain a security area set.
Wherein the set of security areas includes at least respective security areas.
Optionally, the security area at least includes an open area, an external connection area, and an interconnection area.
S202: for each secure zone, the secure zone is taken as the source IP address and the other secure zones are taken as the destination IP addresses.
The other security areas comprise other security areas except the security area corresponding to the source IP address in the security area set.
Specifically, it is assumed that there are three security areas, namely, a first security area, a second security area and a third security area, and for the three security areas, the security area is used as a source IP address, and other security areas are used as destination IP addresses, that is, the first security area is used as a source IP address, and the second security area and the third security area are used as destination IP addresses; taking the second security area as a source IP address, and taking the first security area and the third security area as destination IP addresses; the third secure area is used as a source IP address, and the first secure area and the second secure area are used as destination IP addresses.
S203: and combining the source IP address with the destination IP address for each destination IP address to obtain each combined IP address.
Specifically, assuming that there are three destination IP addresses and two source IP addresses, which are a first destination IP address, a second destination IP address, and a third destination IP address, and a first source IP address and a second source IP address, for the three destination IP addresses, the two source IP addresses and the destination address are combined to obtain a first combined IP address: first source IP address+first destination IP address, second combined IP address: first source IP address+second destination IP address, third combined IP address: first source IP address+third destination IP address, fourth combined IP address: second source IP address+first destination IP address, fifth combined IP address: second source IP address+second destination IP address, sixth combined IP address: second source IP address + third destination IP address.
S204: and sending each combined IP address to the user so that the user inputs a control mode corresponding to each combined IP address.
It will be appreciated that there may be different control modes between each combined IP address, and therefore, each combined IP address needs to be sent to the user so that the user inputs the control mode corresponding to each combined IP address.
S205: when receiving the control mode corresponding to each combined IP address input by the user, constructing an access control strategy table based on each combined IP address and the control mode corresponding to each combined IP address.
The access control policy table is constructed based on each combined IP address and the control mode corresponding to each combined IP address, as shown in fig. 3, in which outbound represents active access (i.e., the current network security area actively accesses another network security area), and inbound represents passive access (i.e., the other network security area accesses the current network security area).
S104: and determining the network security area corresponding to the source IP address and the access mode of the network security area corresponding to the destination IP address according to the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address.
The access mode comprises direct access and access by utilizing network configuration.
It can be understood that the network security area corresponding to the source IP address and the network security area corresponding to the destination IP address are accessed in four access modes, the first mode is a large-section release+large-section mode, the second mode is a large-section release+detail control, the third access mode is detail control+large-section release, and the fourth access mode is detail control+detail control.
Even if the control method corresponding to the network security area corresponding to the source IP address is a large-section release, the network security area corresponding to the source IP address cannot access the network security area corresponding to the destination IP address, and the control method corresponding to the network security area corresponding to the destination IP address needs to be known.
Optionally, the access control policy table, the historical access condition and the network configuration condition are displayed to the user through the front end, so that self-service network service oriented to the user is realized, and the associated functions of audit, tracing, report and the like are developed.
Optionally, in another embodiment of the present application, a specific implementation of step S104, as shown in fig. 4, includes the following steps:
s401: when the control mode corresponding to the network security area corresponding to the source IP address is detail control, determining a first control point according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address, calling a downlink configuration tool to downlink network configuration at the first control point, and marking the downlink configuration tool as the first network configuration.
Among other things, the issuing configuration tool includes, but is not limited to: presetting a script and an API interface, determining a used issuing configuration tool according to a control point, and calling the preset script to issue network configuration if the first control point is a business technology stack (private cloud); and if the first control point is an Internet technology stack (public cloud), calling an API interface to issue network configuration.
Optionally, the network configuration includes, but is not limited to,: IP address, gateway, DNS.
It will be appreciated that when the control mode is detail control, the instruction cannot be accessed directly, and then the control point needs to be determined, the network configuration is issued at the control point, and then the network configuration is used for accessing.
S402: and when the control mode corresponding to the network security area corresponding to the destination IP address is detail control, determining a second control point according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address.
It will be appreciated that the control points corresponding to different IP addresses are different, and therefore, the control points need to be determined according to the control manner and the IP address.
S403: and calling a issuing configuration tool to issue network configuration at a second control point, identifying the network configuration as a second network configuration, and determining a network security area corresponding to the source IP address, wherein the access mode of the network security area corresponding to the access destination IP address is to access by using the first network configuration and the second network configuration.
It can be understood that, when the access manner of the network security area corresponding to the source IP address and the access manner of the network security area corresponding to the destination IP address are detail control, the access purpose needs to be achieved through the first network configuration and the second network configuration.
Optionally, in another embodiment of the present application, a specific implementation of step S104 includes the following steps:
when the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address are large-scale release, determining the network security area corresponding to the source IP address, and accessing the network security area corresponding to the destination IP address by the access mode of direct access.
It can be understood that when the access mode of the network security area corresponding to the source IP address and the access mode of the network security area corresponding to the destination IP address are large-section release, the access can be realized without executing any operation at this time.
Optionally, in another embodiment of the present application, a specific implementation of step S104, as shown in fig. 5, includes the following steps:
s501: when the control mode corresponding to the network security area corresponding to the source IP address is large-scale release and the control mode corresponding to the network security area corresponding to the destination IP address is detail control, determining a control point according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address.
It can be understood that when the control mode corresponding to the network security area corresponding to the source IP address is large-scale release, then the source IP address does not need to perform any operation during active access, and when the control mode corresponding to the network security area corresponding to the destination IP address is detail control, the control point needs to be determined according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address.
S502: after the issuing configuration tool is called to issue network configuration at the control point, the network security area corresponding to the source IP address is determined, and the access mode of the network security area corresponding to the destination IP address is to access by utilizing the network configuration.
It can be understood that when the control mode corresponding to the network security area corresponding to the source IP address is a large-scale release and the control mode corresponding to the network security area corresponding to the destination IP address is a detail control, the network configuration needs to be issued at the control point corresponding to the destination IP address first, so that the access purpose can be achieved through the network configuration.
Alternatively, in another embodiment of the present application, a specific implementation of step S104, as shown in fig. 6, includes the following steps:
s601: when the control mode corresponding to the network security area corresponding to the source IP address is detail control and the control mode corresponding to the network security area corresponding to the destination IP address is a large release segment, determining a control point according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address.
It can be understood that when the control mode corresponding to the network security area corresponding to the source IP address is detail control, the control point needs to be determined according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address, and when the control mode corresponding to the network security area corresponding to the destination IP address is large release section, no operation is executed.
S602: after the issuing configuration tool is called to issue network configuration at the control point, the network security area corresponding to the source IP address is determined, and the access mode of the network security area corresponding to the destination IP address is to access by utilizing the network configuration.
It can be understood that when the control mode corresponding to the network security area corresponding to the destination IP address is a large-scale release and the control mode corresponding to the network security area corresponding to the source IP address is a detail control, the network configuration needs to be issued at the control point corresponding to the source IP address first, so that the access purpose can be achieved through the network configuration.
In summary, according to the control manner corresponding to the network security area corresponding to the source IP address and the control manner corresponding to the network security area corresponding to the destination IP address, the network security area corresponding to the source IP address is determined, and the access manner of the network security area corresponding to the destination IP address is accessed.
Fig. 7 is a schematic architecture diagram of a network access control device according to an embodiment of the present application, where the access control device includes: the apparatus comprises a first acquisition unit 100, a second acquisition unit 200, a selection unit 300 and a determination unit 400.
The first obtaining unit 100 is configured to obtain, when an access request is received, a source IP address and a destination IP address from the access request.
A second obtaining unit 200, configured to obtain, from the correspondence table, a network security area corresponding to the source IP address and a network security area corresponding to the destination IP address; the correspondence table is constructed in advance based on the IP address and the network security area.
A selecting unit 300, configured to select, from the access control policy table, a control mode corresponding to a network security area corresponding to the source IP address, and select a control mode corresponding to a network security area corresponding to the destination IP address; the control mode comprises large-section release or detail control; the access control policy table is pre-constructed based on the network security area and the control mode.
The selecting unit 300 is specifically configured to: dividing a network security area to obtain a security area set; the safety area set at least comprises each safety area; for each security area, taking the security area as a source IP address and other security areas as destination IP addresses; the other security areas comprise other security areas except the security area corresponding to the source IP address in the security area set; for each destination IP address, respectively combining the source IP address with the destination IP address to obtain each combined IP address; sending each combined IP address to a user so that the user inputs a control mode corresponding to each combined IP address; when receiving the control mode corresponding to each combined IP address input by the user, constructing an access control strategy table based on each combined IP address and the control mode corresponding to each combined IP address.
A determining unit 400, configured to determine, according to a control manner corresponding to a network security area corresponding to a source IP address and a control manner corresponding to a network security area corresponding to a destination IP address, a network security area corresponding to the source IP address, and an access manner for accessing the network security area corresponding to the destination IP address; the access mode includes direct access and access using network configuration.
The determining unit 400 is specifically configured to: when the control mode corresponding to the network security area corresponding to the source IP address is detail control, determining a first control point according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address, calling a downlink configuration tool to downlink network configuration at the first control point, and marking the downlink configuration tool as the first network configuration; when the control mode corresponding to the network security area corresponding to the destination IP address is detail control, determining a second control point according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address; and calling a issuing configuration tool to issue network configuration at a second control point, identifying the network configuration as a second network configuration, and determining a network security area corresponding to the source IP address, wherein the access mode of the network security area corresponding to the access destination IP address is to access by using the first network configuration and the second network configuration.
The determining unit 400 is specifically configured to: when the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address are large-scale release, determining the network security area corresponding to the source IP address, and accessing the network security area corresponding to the destination IP address by the access mode of direct access.
The determining unit 400 is specifically configured to: when the control mode corresponding to the network security area corresponding to the source IP address is large-scale release and the control mode corresponding to the network security area corresponding to the destination IP address is detail control, determining a control point according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address; after the issuing configuration tool is called to issue network configuration at the control point, the network security area corresponding to the source IP address is determined, and the access mode of the network security area corresponding to the destination IP address is to access by utilizing the network configuration.
The determining unit 400 is specifically configured to: when the control mode corresponding to the network security area corresponding to the source IP address is detail control and the control mode corresponding to the network security area corresponding to the destination IP address is a large release segment, determining a control point according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address; after the issuing configuration tool is called to issue network configuration at the control point, the network security area corresponding to the source IP address is determined, and the access mode of the network security area corresponding to the destination IP address is to access by utilizing the network configuration.
In summary, according to the control manner corresponding to the network security area corresponding to the source IP address and the control manner corresponding to the network security area corresponding to the destination IP address, the network security area corresponding to the source IP address is determined, and the access manner of the network security area corresponding to the destination IP address is accessed.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A network access control method, comprising:
when an access request is received, acquiring a source IP address and a destination IP address from the access request;
acquiring a network security area corresponding to the source IP address and a network security area corresponding to the destination IP address from a corresponding relation table; the corresponding relation table is constructed in advance based on the IP address and the network security area;
selecting a control mode corresponding to the network security area corresponding to the source IP address from an access control policy table, and selecting a control mode corresponding to the network security area corresponding to the destination IP address; the control mode comprises large-section release or detail control; the access control policy table is pre-constructed based on the network security area and the control mode;
determining the network security area corresponding to the source IP address according to the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address, and accessing the access mode of the network security area corresponding to the destination IP address; the access mode comprises direct access and access by utilizing network configuration.
2. The method of claim 1, wherein the pre-building the access control policy table based on the network security zones and control patterns comprises:
dividing the network security area to obtain a security area set; the safety area set at least comprises each safety area;
for each security area, taking the security area as a source IP address and other security areas as destination IP addresses; the other security areas comprise other security areas except the security area corresponding to the source IP address in the security area set;
for each destination IP address, respectively combining the source IP address with the destination IP address to obtain each combined IP address;
sending each combined IP address to a user so that the user inputs a control mode corresponding to each combined IP address;
when receiving the control mode corresponding to each combined IP address input by a user, constructing the access control policy table based on each combined IP address and the control mode corresponding to each combined IP address.
3. The method according to claim 1, wherein the determining the network security area corresponding to the source IP address and the access manner of the network security area corresponding to the destination IP address according to the control manner corresponding to the network security area corresponding to the source IP address and the control manner corresponding to the network security area corresponding to the destination IP address includes:
when the control mode corresponding to the network security area corresponding to the source IP address is the detail control, determining a first control point according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address, calling a issuing configuration tool to issue network configuration at the first control point, and marking the issuing configuration tool as the first network configuration;
when the control mode corresponding to the network security area corresponding to the destination IP address is the detail control, determining a second control point according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address;
and calling the issuing configuration tool to issue network configuration at the second control point, identifying the network configuration as the second network configuration, and determining a network security area corresponding to the source IP address, wherein the access mode of accessing the network security area corresponding to the destination IP address is to access by utilizing the first network configuration and the second network configuration.
4. The method according to claim 1, wherein the determining the network security area corresponding to the source IP address and the access manner of the network security area corresponding to the destination IP address according to the control manner corresponding to the network security area corresponding to the source IP address and the control manner corresponding to the network security area corresponding to the destination IP address includes:
and when the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address are the large-section release, determining the network security area corresponding to the source IP address, and accessing the network security area corresponding to the destination IP address in a direct access mode.
5. The method according to claim 1, wherein the determining the network security area corresponding to the source IP address and the access manner of the network security area corresponding to the destination IP address according to the control manner corresponding to the network security area corresponding to the source IP address and the control manner corresponding to the network security area corresponding to the destination IP address includes:
when the control mode corresponding to the network security area corresponding to the source IP address is the large-section release and the control mode corresponding to the network security area corresponding to the destination IP address is the detail control, determining a control point according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address;
and after the control point issues network configuration, determining a network security area corresponding to the source IP address, and accessing the network security area corresponding to the destination IP address by using the network configuration access mode.
6. The method according to claim 1, wherein the determining the network security area corresponding to the source IP address and the access manner of the network security area corresponding to the destination IP address according to the control manner corresponding to the network security area corresponding to the source IP address and the control manner corresponding to the network security area corresponding to the destination IP address includes:
when the control mode corresponding to the network security area corresponding to the source IP address is the detail control and the control mode corresponding to the network security area corresponding to the destination IP address is the large release segment, determining a control point according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address;
and after the control point issues network configuration, determining a network security area corresponding to the source IP address, and accessing the network security area corresponding to the destination IP address by using the network configuration access mode.
7. A network access control device, comprising:
a first obtaining unit, configured to obtain a source IP address and a destination IP address from an access request when the access request is received;
a second obtaining unit, configured to obtain, from a correspondence table, a network security area corresponding to the source IP address and a network security area corresponding to the destination IP address; the corresponding relation table is constructed in advance based on the IP address and the network security area;
a selecting unit, configured to select, from an access control policy table, a control mode corresponding to the network security area corresponding to the source IP address, and select a control mode corresponding to the network security area corresponding to the destination IP address; the control mode comprises large-section release or detail control; the access control policy table is pre-constructed based on the network security area and the control mode;
the determining unit is used for determining the network security area corresponding to the source IP address and accessing the access mode of the network security area corresponding to the destination IP address according to the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address; the access mode comprises direct access and access by utilizing network configuration.
8. The apparatus according to claim 7, wherein the selection unit is specifically configured to:
dividing the network security area to obtain a security area set; the safety area set at least comprises each safety area;
for each security area, taking the security area as a source IP address and other security areas as destination IP addresses; the other security areas comprise other security areas except the security area corresponding to the source IP address in the security area set;
for each destination IP address, respectively combining the source IP address with the destination IP address to obtain each combined IP address;
sending each combined IP address to a user so that the user inputs a control mode corresponding to each combined IP address;
when receiving the control mode corresponding to each combined IP address input by a user, constructing the access control policy table based on each combined IP address and the control mode corresponding to each combined IP address.
9. The apparatus according to claim 7, wherein the determining unit is specifically configured to:
when the control mode corresponding to the network security area corresponding to the source IP address is the detail control, determining a first control point according to the control mode corresponding to the network security area corresponding to the source IP address and the source IP address, calling a issuing configuration tool to issue network configuration at the first control point, and marking the issuing configuration tool as the first network configuration;
when the control mode corresponding to the network security area corresponding to the destination IP address is the detail control, determining a second control point according to the control mode corresponding to the network security area corresponding to the destination IP address and the destination IP address;
and calling the issuing configuration tool to issue network configuration at the second control point, identifying the network configuration as the second network configuration, and determining a network security area corresponding to the source IP address, wherein the access mode of accessing the network security area corresponding to the destination IP address is to access by utilizing the first network configuration and the second network configuration.
10. The apparatus according to claim 7, wherein the determining unit is specifically configured to:
and when the control mode corresponding to the network security area corresponding to the source IP address and the control mode corresponding to the network security area corresponding to the destination IP address are the large-section release, determining the network security area corresponding to the source IP address, and accessing the network security area corresponding to the destination IP address in a direct access mode.
CN202310964810.8A 2023-08-02 2023-08-02 Network access control method and device Pending CN117061161A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310964810.8A CN117061161A (en) 2023-08-02 2023-08-02 Network access control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310964810.8A CN117061161A (en) 2023-08-02 2023-08-02 Network access control method and device

Publications (1)

Publication Number Publication Date
CN117061161A true CN117061161A (en) 2023-11-14

Family

ID=88663674

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310964810.8A Pending CN117061161A (en) 2023-08-02 2023-08-02 Network access control method and device

Country Status (1)

Country Link
CN (1) CN117061161A (en)

Similar Documents

Publication Publication Date Title
US9253158B2 (en) Remote access manager for virtual computing services
US9237147B2 (en) Remote access manager for virtual computing services
US9225721B2 (en) Distributing overlay network ingress information
WO2018208295A1 (en) Iot device connectivity, discovery, and networking
CN104427010A (en) NAT (network address translation) method and device applied to DVPN (dynamic virtual private network)
JP2013522773A (en) Pluggable token provider model that enforces authentication across multiple web services
WO2014005442A1 (en) Network service access method and system
WO2013097484A1 (en) Method, server and system for balancing loads of virtual machine cluster
US20130035079A1 (en) Method and system for establishing data commuication channels
JP2024504006A (en) Data transmission methods, devices, equipment and computer programs for service integration
EP2710791B1 (en) Directing messages based on domain names
WO2021031465A1 (en) Sd-wan-based device authentication method and system
CN110868450B (en) Dual-computer room multi-entrance session keeping method, system, device and storage medium
AU2017344389A1 (en) Portal aggregation service mapping subscriber device identifiers to portal addresses to which connection and authentication requests are redirected and facilitating mass subscriber apparatus configuration
US20130268584A1 (en) Methods and apparatus for publishing and subscribing electronic documents using intermediate rendezvous servers
JP2015153076A (en) Communication apparatus, method, and program
CN117061161A (en) Network access control method and device
CN104301197B (en) It is a kind of to realize the method and system mutually found between user multiple terminals
US11196666B2 (en) Receiver directed anonymization of identifier flows in identity enabled networks
JP2006108768A (en) Communication connection method and communication system for concealing identification information of user terminal
CN105516121B (en) The method and system that AC is communicated with AP in WLAN
WO2020252834A1 (en) Network request processing method and system and ingress and egress network devices
CN114339727B (en) Edge platform, configuration method, device, terminal and storage medium
JP2011239082A (en) Communication apparatus and address conversion method
WO2021134860A1 (en) Load balancing method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination