CN117640367A - Trusted network communication method - Google Patents
Trusted network communication method Download PDFInfo
- Publication number
- CN117640367A CN117640367A CN202311667079.9A CN202311667079A CN117640367A CN 117640367 A CN117640367 A CN 117640367A CN 202311667079 A CN202311667079 A CN 202311667079A CN 117640367 A CN117640367 A CN 117640367A
- Authority
- CN
- China
- Prior art keywords
- network
- trusted
- trusted network
- configuring
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000004590 computer program Methods 0.000 claims description 9
- 230000006870 function Effects 0.000 claims description 3
- 239000002699 waste material Substances 0.000 abstract description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
Abstract
The invention particularly relates to a trusted network communication method. The trusted network communication method comprises the steps of configuring a plurality of physical network interfaces for trusted network access terminal equipment, and configuring all physical network cards as a network bond; connecting each physical network port of the terminal access equipment to different switch interfaces; configuring 802.1X information and a Radius server IP address for the switch; and configuring the Radius service on the Radius server. According to the trusted network communication method, load balancing of terminal data is achieved, meanwhile, data circulation paths can be designated for different services, trusted authentication based on the services is achieved, switches with different configurations can be used according to the size of data traffic of different services, and therefore waste caused by the fact that the whole network uses the switches with high configurations is avoided.
Description
Technical Field
The invention relates to the technical field of networks, in particular to a trusted network communication method.
Background
The trusted network architecture is not a specific security product or a targeted security solution system, but an organic network security omnibearing architecture system solution, and emphasizes the realization of the transverse association and longitudinal management of security products of various manufacturers. In implementing a trusted network, it is therefore necessary to have different security products and systems involving multiple security vendors, which are supported and coordinated by each security vendor.
At present, the number of trusted network access control modes is large, the smallest trusted access authentication unit is a physical terminal, and authentication cannot be performed on an independent process or port.
Based on the above situation, the invention provides a trusted network communication method.
Disclosure of Invention
The invention provides a simple and efficient trusted network communication method for overcoming the defects of the prior art.
The invention is realized by the following technical scheme:
a method of trusted network communication, characterized by: the method comprises the following steps:
step S1, configuring a plurality of physical network interfaces for a trusted network access terminal device, and configuring all physical network cards as a network bond;
step S2, connecting each physical network port of the terminal access equipment to different switch interfaces;
step S3, configuring 802.1X information and a Radius server IP address for the switch;
and S4, configuring the Radius service on the Radius server.
In the step S1, the network bond is configured as mode2, i.e., (policy-XOR) XOR policy, and the mode policy is set as a data distribution manner according to the IP and the port.
Because the network card of each access terminal is configured as a network bond, in the step S1, each physical network card is displayed outside by the same mac and IP address;
by configuring bond, not only data communication of specific service through appointed physical network port is realized, but also load balancing of network card data flow is realized, and only one IP address is displayed to the outside.
In the step S1, the function of passing the specific port and the IP address data through the designated network card is realized through bond policy configuration, so that the service must perform separate authentication when accessing the trusted network, and the service can access the trusted network after passing the authentication, and perform data communication.
In the step S1, from the perspective of the whole system, the individual authentication performed by the service when accessing the trusted network has independence, and other service data are communicated through other physical network cards, so that the data communication of the service is not affected.
In the step S3, all the access switches are configured with 802.1X information and at least two Radius server IP addresses to support high availability of network access control.
In step S3, each physical network card accesses a different switch, and each switch is configured with an 802.1x protocol, and can access a trusted network after passing authentication.
A trusted network communication device, characterized by: comprising a memory and a processor; the memory is used for storing a computer program, and the processor is used for implementing the method steps described above when executing the computer program.
A readable storage medium, characterized by: the readable storage medium has stored thereon a computer program which, when executed by a processor, implements the method steps as described above.
The beneficial effects of the invention are as follows: according to the trusted network communication method, load balancing of terminal data is achieved, meanwhile, data circulation paths can be designated for different services, trusted authentication based on the services is achieved, switches with different configurations can be used according to the size of data traffic of different services, and therefore waste caused by the fact that the whole network uses the switches with high configurations is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a trusted network communication method according to the present invention.
Fig. 2 is a schematic diagram of a trusted network communication architecture according to the present invention.
Detailed Description
In order to enable those skilled in the art to better understand the technical solution of the present invention, the following description will make clear and complete description of the technical solution of the present invention in combination with the embodiments of the present invention. It will be apparent that the embodiments described below are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
Currently, trusted computing is on the way of the urge for trusted networks. In the informatization process of each enterprise and public institution, according to the security problems and application requirements facing each enterprise and public institution and according to the targeted security problems, corresponding security management subsystems based on trust management, identity management, vulnerability management, threat management and the like are gradually constructed. However, these targeted security products and security solutions currently lack collaboration and communication with each other, and thus do not achieve the overall defense of network security.
The pushing of the trusted network aims at realizing the effective integration, management and supervision of the security resources of the user network and the trusted expansion and perfect information security protection of the user network; the method and the device solve the real requirements of users and achieve the purpose of effectively improving the security defensive capability of the user network.
The push of the trusted network architecture can effectively solve the following problems faced by users: whether the device access process is trusted; whether the execution process of the security policy of the device is trusted or not; whether the execution process of the security system is trusted or not; whether the behavior of an operator is credible in the use process of the system, and the like.
However, to reach a trusted network, the problem of trusted routing is first solved.
The trusted network communication method comprises the following steps:
step S1, configuring a plurality of physical network interfaces for a trusted network access terminal device, and configuring all physical network cards as a network bond;
step S2, connecting each physical network port of the terminal access equipment to different switch interfaces;
step S3, configuring 802.1X information and a Radius server IP address for the switch;
and S4, configuring the Radius service on the Radius server.
In the step S1, the network bond is configured as mode2, i.e., (policy-XOR) XOR policy, and the mode policy is set as a data distribution manner according to the IP and the port.
Because the network card of each access terminal is configured as a network bond, in the step S1, each physical network card is displayed outside by the same mac and IP address;
by configuring bond, not only data communication of specific service through appointed physical network port is realized, but also load balancing of network card data flow is realized, and only one IP address is displayed to the outside.
In the step S1, the function of passing the specific port and the IP address data through the designated network card is realized through bond policy configuration, so that the service must perform separate authentication when accessing the trusted network, and the service can access the trusted network after passing the authentication, and perform data communication.
In the step S1, from the perspective of the whole system, the individual authentication performed by the service when accessing the trusted network has independence, and other service data are communicated through other physical network cards, so that the data communication of the service is not affected.
In the step S3, all the access switches are configured with 802.1X information and at least two Radius server IP addresses to support high availability of network access control.
In step S3, each physical network card accesses a different switch, and each switch is configured with an 802.1x protocol, and can access a trusted network after passing authentication.
The trusted network communication device includes a memory and a processor; the memory is used for storing a computer program, and the processor is used for implementing the method steps described above when executing the computer program.
The readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method steps as described above.
The method for the trusted network communication has the following beneficial effects that the bond, the switch and the trusted network access control server are bound through the network card of the terminal equipment to work cooperatively:
first, load balancing of terminal data is achieved.
Second, a data flow path can be designated for different services, and service-based trusted authentication is achieved.
Thirdly, high availability of trusted authentication is realized, and the problem that the whole network cannot provide service due to the failure of a trusted network access control server is avoided.
Fourth, switches with different configurations can be used according to different service data flow sizes, so that waste caused by using high-configuration switches in the whole network is avoided.
The above describes a trusted network communication method in the embodiment of the present invention in detail. The principles and embodiments of the present invention have been described in this section with specific examples provided above to facilitate understanding of the core concepts of the invention and all other examples obtained by one skilled in the art without departing from the principles of the invention are intended to be within the scope of the invention.
Claims (9)
1. A method of trusted network communication, characterized by: the method comprises the following steps:
step S1, configuring a plurality of physical network interfaces for a trusted network access terminal device, and configuring all physical network cards as a network bond;
step S2, connecting each physical network port of the terminal access equipment to different switch interfaces;
step S3, configuring 802.1X information and a Radius server IP address for the switch;
and S4, configuring the Radius service on the Radius server.
2. The trusted network communication method of claim 1, wherein: in the step S1, the network bond is configured as a mode2, and the mode policy is set as a data distribution manner according to the IP and the port.
3. A trusted network communication method as claimed in claim 2, characterized in that: because the network card of each access terminal is configured as a network bond, in the step S1, each physical network card is displayed outside by the same mac and IP address;
by configuring bond, not only data communication of specific service through appointed physical network port is realized, but also load balancing of network card data flow is realized, and only one IP address is displayed to the outside.
4. A trusted network communication method as claimed in claim 2, characterized in that: in the step S1, the function of passing the specific port and the IP address data through the designated network card is realized through bond policy configuration, so that the service must perform separate authentication when accessing the trusted network, and the service can access the trusted network after passing the authentication, and perform data communication.
5. The trusted network communication method of claim 4, wherein: in the step S1, from the perspective of the whole system, the individual authentication performed by the service when accessing the trusted network has independence, and other service data are communicated through other physical network cards, so that the data communication of the service is not affected.
6. The trusted network communication method of claim 1, wherein: in the step S3, all the access switches are configured with 802.1X information and at least two Radius server IP addresses to support high availability of network access control.
7. The trusted network communication method of claim 1, wherein: in step S3, each physical network card accesses a different switch, and each switch is configured with an 802.1x protocol, and can access a trusted network after passing authentication.
8. A trusted network communication device, characterized by: comprising a memory and a processor; the memory is adapted to store a computer program, the processor being adapted to implement the method steps of any of claims 1 to 7 when the computer program is executed.
9. A readable storage medium, characterized by: the readable storage medium has stored thereon a computer program which, when executed by a processor, implements the method steps of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311667079.9A CN117640367A (en) | 2023-12-06 | 2023-12-06 | Trusted network communication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311667079.9A CN117640367A (en) | 2023-12-06 | 2023-12-06 | Trusted network communication method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117640367A true CN117640367A (en) | 2024-03-01 |
Family
ID=90028656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311667079.9A Pending CN117640367A (en) | 2023-12-06 | 2023-12-06 | Trusted network communication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117640367A (en) |
-
2023
- 2023-12-06 CN CN202311667079.9A patent/CN117640367A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11088944B2 (en) | Serverless packet processing service with isolated virtual network integration | |
| US10362032B2 (en) | Providing devices as a service | |
| US9825911B1 (en) | Security policy check based on communication establishment handshake packet | |
| Al-Shqeerat et al. | Cloud computing security challenges in higher educational institutions-A survey | |
| US8364842B2 (en) | System and method for reduced cloud IP address utilization | |
| US20100235526A1 (en) | System and method for reducing cloud ip address utilization using a distributor registry | |
| Hamdi | Security of cloud computing, storage, and networking | |
| CN107920110A (en) | A kind of method and device of data sharing | |
| CN105049412A (en) | Secure data exchange method, device and equipment among different networks | |
| CN111010340B (en) | Data message forwarding control method and device and computing device | |
| US20140195676A1 (en) | Network Adapter Based Zoning Enforcement | |
| KR101480443B1 (en) | Hybrid network partition system and method thereof | |
| CN114448700A (en) | Data access method, data access system, computer device and storage medium | |
| US11296981B2 (en) | Serverless packet processing service with configurable exception paths | |
| EP4239952A1 (en) | Serverless packet processing service with isolated virtual network integration | |
| US20230254146A1 (en) | Cybersecurity guard for core network elements | |
| Panneerselvam et al. | An investigation of the effect of cloud computing on network management | |
| CN111818081A (en) | Virtual encryption machine management method and device, computer equipment and storage medium | |
| CN117640367A (en) | Trusted network communication method | |
| US20220141080A1 (en) | Availability-enhancing gateways for network traffic in virtualized computing environments | |
| CN114124714B (en) | Multi-level network deployment method, device, equipment and storage medium | |
| US10481963B1 (en) | Load-balancing for achieving transaction fault tolerance | |
| US11647020B2 (en) | Satellite service for machine authentication in hybrid environments | |
| US9712541B1 (en) | Host-to-host communication in a multilevel secure network | |
| US10848418B1 (en) | Packet processing service extensions at remote premises |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |