CN1400540A - Control method of network connection and separation - Google Patents
Control method of network connection and separation Download PDFInfo
- Publication number
- CN1400540A CN1400540A CN 01127707 CN01127707A CN1400540A CN 1400540 A CN1400540 A CN 1400540A CN 01127707 CN01127707 CN 01127707 CN 01127707 A CN01127707 A CN 01127707A CN 1400540 A CN1400540 A CN 1400540A
- Authority
- CN
- China
- Prior art keywords
- network
- terminal
- control module
- virtual
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention refers to safety technology of network especially refers to a control method for network connection and breaking, it adds a isolated control model on network exchange hub which supports standards VLAN protocol, the model can divide the hub into many virtual network which are independent each other, one of then connects with the mentioned control model, the others can link to different network through its common port respectively, the user's computer end connects to one port of the mentioned hub, the control model allocates the ports which connect with the computer's end to the virtual network which corresponds to the network selected by the user dynamically through network connecting control sign which is sent from the computer end. Between the computer end and the control model, they can be attested through electronic attestation certificate dynamically, they can surveillance each other, it realizes the safety isolation among networks.
Description
Technical field
The present invention relates to network security technology, more particularly, relate to a kind of control method of network connection/isolation.
Background technology
Along with the continuous development of computer and network technologies, most computers also may be connected with the wide area network of for example Internet simultaneously being connected to LAN (Local Area Network), at this moment, and the network security problem particular importance that just seems.An emphasis that solves network security problem be will avoid being connected the time with external network in the LAN (Local Area Network) computer resource illegally utilized and attacked, in-house network and extranets need be separated especially, make the user can not login intranet and extranet simultaneously, the Intranet data is sent out steathily or attacked Intranet from outer net by the people.The present isolation technology scheme that solves between the intranet and extranet has multiple, and wherein more original method is to adopt two computing machines of A, B to connect Intranet and outer net respectively, and is independent separately, mutually noninterfere, and its shortcoming is cost height, inconvenient operation; Another kind method is that two main frames of A, B connect Intranet and outer net respectively, but peripherals such as both shared displays, keyboard, because of two main frames are arranged, so the cost height is still a significant drawbacks.
Be illustrated in figure 1 as another kind of Network Isolation method structural representation, as can be seen from the figure, have two hard disks or two hard partitioning dishes in each terminal at least, be applicable to intranet and extranet respectively, network interface card will just can be connected to intranet and extranet HUB (hub) after isolation card, eight heart yearns of being drawn by network interface card are divided into two groups of quads, wherein a winding Intranet HUB, another winding outer net HUB, thereby by sending out switching signal to one in isolation card selection connection Intranet or the outer net.The shortcoming of this method is: 1) each terminal need be connected to two HUB ports, and work the time only takies one of them HUB port, and another HUB port then closes for sky, and the wasting of resources is bigger; 2) the network interface card signal will just can be connected to HUB through isolation card, has the serious loss of signal, influences the network service effect; 3) netting twine of the cloth in some places is a quad, can't satisfy two groups of quads of needs in this method.
Summary of the invention
The technical problem to be solved in the present invention is, at the above-mentioned defective of prior art, provides a kind of network to connect and the control method of isolating, and can utilize less cost and resource, realizes the isolation between network and the network, to ensure the safety of computer data.
Technical program of the present invention lies in, a kind of control method of network connection/isolation is characterized in that, may further comprise the steps:
Need to select the network of connection by terminal;
Send the network connection control signal to the control module that is arranged on the network exchange formula hub (Switch HUB);
Described control module is according to described network connection control signal, be provided with by the virtual net parameter, the described network exchange formula hub port dynamic assignment that will be connected with described terminal arrives and selected network corresponding virtual net, realize belonging to being connected of network of same virtual net, and keep and do not belong to the isolation of the network of same virtual net with terminal.
Wherein, described network exchange formula hub is supported standard VLAN (Virtual LAN, be VLAN) agreement, the isolated controlling module that is arranged on the described network exchange formula hub can be according to the described network connection control signal from terminal, setting by the virtual net parameter, described network exchange formula hub dynamically is divided into a plurality of separate virtual nets, one of them virtual net is used to connect described control module and transmits the internal control order, all the other virtual nets can be received different networks by its public port respectively, user computer terminal is connected to a certain port of described network exchange formula hub, and is assigned to some virtual nets.
In the method for the invention, described network connection control signal comprises network requests signal and digital certificate certificate, when described control module is carried out discriminance analysis to described certificate of certification and is judged as when effective, according to the described virtual net parameter list of described network requests signal change, described port dynamic assignment is arrived the network corresponding virtual net of selecting with the user.Wherein, the certificate of certification that described terminal sends to described control module is disposable dynamic authentication certificate, described control module can be beamed back a new certificate of certification for using its next time to described terminal after the described certificate of certification of judgement is legal.
In the method for the invention, also comprise following timing monitoring step: described control module is regularly monitored the network connection state of described terminal, when detecting the described network connection state of stating terminal and change, with described port and the current virtual net disconnection that is connected.Its specific implementation comprises: described terminal regularly sends the monitoring features sign indicating number to described control module; When regularly not receiving that condition code of being sent by described terminal or the condition code of being received are illegal, described control module disconnects described port by revising the virtual net parameter list of described network exchange formula hub with the current virtual net that is connected.Wherein, for guaranteeing the regularly reliability of monitoring, the monitoring features sign indicating number that same terminal sends changes by same rule at every turn, and the timing monitoring features sign indicating number that different terminals sends changes by different separately rules at every turn; The time interval of described timed sending monitoring features sign indicating number can be made as the 50-300 millisecond.
In the method for the invention, network provided by the invention connects a kind of common pattern with the control method of isolating, be described network exchange formula hub dynamically to be divided into be respectively applied for three virtual nets that connect Intranet, outer net and control module, wherein the Intranet virtual net is connected to internal lan by its public port, and the outer net virtual net is connected to external the Internet by its public port.
Implement network of the present invention and connect and the control method of isolating, can overcome the above-mentioned defective of prior art, utilize less cost and resource, realize the isolation between network and the network, to ensure the safety of computer data.Its advantage is: each terminal only takies a port in the network exchange formula hub, reduces taking resource; The network interface card of terminal is directly connected to network exchange formula hub, has reduced the loss of signal; Only need the four-core netting twine just can realize, can be applicable to four-core wiring place.
Description of drawings
Fig. 1 is a kind of structural drawing of legacy network isolation technology;
Fig. 2 is the synoptic diagram of the embodiment of the invention one;
Synoptic diagram when Fig. 3 is the isolation of two operating systems realizations of embodiment two employings intranet and extranet;
Fig. 4 is the synoptic diagram when being assigned to outer net after terminal shown in Fig. 3 starts;
Fig. 5 is a workflow diagram embodiment illustrated in fig. 3.
Embodiment
Be illustrated in figure 2 as a simple embodiment of the present invention, terminal 4 is connected to the HUB1 of supported vlans agreement, also is connected with an isolated controlling module 2 that it dynamically can be divided into a plurality of separate virtual nets on HUB1.Its course of work is as follows:
Step 201, user send the network requests signal by terminal 4;
Step 202, control module change the VLAN parameter configuration of HBU1 according to the network requests signal of receiving, the HUB port that terminal is connected to dynamically is assigned to the user asks network corresponding virtual net;
The network-in-dialing that step 203, user computer terminal are connected with its request.
Method of the present invention may be implemented in the terminal of an operating system, also may be implemented in the terminal that two cover operating systems are housed, its difference is to send the mode difference of network requests signal, the former finishes by different network control orders, and the latter finishes by selecting to be applicable to the os starting terminal of heterogeneous networks.
The following examples are the situation when two operating systems that are applicable to intranet and extranet are respectively arranged in the terminal, as can be seen from Figure 3, in order to realize the isolation between the intranet and extranet, utilize standard VLAN (Virtual LAN, be VLAN) agreement, the HUB1 among the figure dynamically is divided into the virtual net of at least three separate and mutual isolation.HUB among Fig. 3 has 101 to 112 totally 12 ports, each port decides it should be assigned to which virtual net by the virtual net parameter list, so-called dynamically division, be meant which virtual net some ports belong to is not unalterable, can change virtual net under it by revising the virtual net parameter list.
Among the embodiment described HUB1 dynamically is divided into the virtual net that is respectively applied for the separate and mutual isolation of three of connecting Intranet, outer net and control module, wherein, the Intranet virtual net is connected to internal lan by its public port 105; The outer net virtual net is connected to external the Internet by its public port 106; Its public port 110 that the control module virtual net passes through is connected to a control module 2.Three frame of broken lines are depicted as the dynamic virtual net dividing condition in a certain moment among Fig. 3, and this moment, port one 01-105 belonged to the Intranet virtual net; Port one 06-109 belongs to the outer net virtual net; Port one 12 and 110 belongs to the control virtual net.
Control module 2 among the present invention is used to realize dynamic authentication and monitoring function regularly, can adjust virtual net under each port that is used to connect terminal by revising the virtual net parameter list according to the network requests signal of being sent by terminal.Control module 2 can be located at the inside of HUB1, also can be external or inlay.
The network legal power that needs default each terminal before the use is promptly set a certain terminal and is logined Intranet only or login outer net only or both can login Intranet and also can login outer net.If both can having logined Intranet, a certain terminal also can login outer net, then need the safety between the intranet and extranet to isolate, as can be seen from Figure 3, all the other ports of HUB1 are connected respectively to a plurality of terminals, with terminal 3 on the port one 12 that is connected to HUB 1 is example, netting twine is connected to the network interface card 31 of this terminal 3 by port one 12, receives mainboard 32 again, and wherein mainboard 32 is connected with two hard disks 33,34 (also can be two subregions in the same hard disk).In these two hard disks 33,34 two operating systems that are applicable to Intranet and outer net respectively are housed, these two operating systems all can start separately, work alone.
Among the figure of the workflow when the embodiment of reflection shown in Fig. 3 selecting to connect outer net in 5, in step 301, terminal 3 starts; In step 302, the user selects to be applicable to the operating system of outer net; In step 303, terminal 3 starts outer net operating system; In step 304, terminal 3 sends the network requests signal and sends the digital certificate certificate to control module 2, as shown in Figure 3, communication between this terminal 3 and the control module 2 at this moment, both belong to same virtual net; In step 305, control module 2 judges whether to receive legal certificate of certification, as the result for being execution in step 307 then, otherwise execution in step 306; In step 306, refusal is carried out the network allocation request; In step 307, control module 2 is beamed back to terminal 3 and is used when a new certificate of certification started for its next time, and according to the network requests signal of sending by terminal 3, revise the virtual net parameter list, the port one 12 that terminal 3 is connected is assigned to the outer net virtual net, is illustrated in figure 4 as the situation when terminal 3 is assigned to outer net; In step 308, terminal is connected with outer net; In step 309, terminal sends each timing monitoring features sign indicating number that changes by same algorithm every 100 milliseconds to control module 2; In step 310, control module 2 judges whether regularly to receive the condition code sent by terminal 3, and judges whether the condition code of being received legal, as the result for otherwise execution in step 311 otherwise return step 309; In step 311, control module 2 is revised the virtual net parameter lists, and port one 12 no longer belongs to outer net, and being connected between terminal 3 and the outer net is disconnected.
Wherein, the certificate of certification that terminal 3 sends to control module 2 is disposable dynamic authentication certificate, so-called disposable, be meant that control module 2 is after the certificate of certification that judgement is received is legal, can use when terminal 3 be beamed back a new certificate of certification for its next startup, each part certificate all is to generate automatically and can only use once.
For guaranteeing the regularly reliability of monitoring, the monitoring features sign indicating number that same terminal sends changes by same rule (algorithm, parameter) at every turn, and the timing monitoring features sign indicating number that different terminals sends changes by different separately rules at every turn.The time interval of timed sending is the 50-300 millisecond.The time interval of timed sending is set at 100 milliseconds in the present embodiment.Can prevent the destruction of physical method like this, for example the A terminal can only be logined Intranet, the B terminal both can have been logined Intranet also can login outer net, suppose that now the user has started the A terminal, and started the outer net operating system of B terminal simultaneously, if there is not regularly monitoring, then the user can exchange the netting twine of B terminal and the netting twine of A terminal, makes the A terminal can login outer net.And in the method for the present invention, per 100 milliseconds are promptly detected condition code one time, do not cut off being connected of terminal and current network automatically if conform to rule, and the speed of manual exchange netting twine can not be near less than 100 milliseconds, so can reach the purpose of safety precaution.
In the control method that connects and isolate according to network provided by the invention, for strengthening security and reliability, by described control module not being established the IP address, not using methods such as standard agreement, make other people not visit described control module with conventional method or existing network protocol.
Method of the present invention is not limited to the foregoing description, also can make numerous variations and modification within the scope of the invention, be provided with by parameter the network switch or other network access device are divided into a plurality of separate network segments, and can not carry out data transmission between each network segment.
Claims (10)
1, a kind of control method of network connection/isolation is characterized in that, may further comprise the steps: network that need to be selected connection by terminal; Send the network connection control signal to the control module that is arranged on the network exchange formula hub; Described control module is according to described network connection control signal, be provided with by the virtual net parameter, the described network exchange formula hub port dynamic assignment that will be connected with described terminal arrives and selected network corresponding virtual net, realize belonging to being connected of network of same virtual net, and keep and do not belong to the isolation of the network of same virtual net with terminal.
2, according to the described method of claim 1, it is characterized in that, described network exchange formula hub supported vlans agreement, the isolated controlling module that is arranged on the described network exchange formula hub can be according to coming described network connection control signal, setting by the virtual net parameter, described network exchange formula hub dynamically is divided into a plurality of separate virtual nets, one of them virtual net is used to connect described control module and transmits the internal control order, all the other virtual nets can be received different networks by its public port respectively, user computer terminal is connected to a certain port of described network exchange formula hub, and is assigned to some virtual nets.
3, according to the described method of claim 2, it is characterized in that, described network connection control signal comprises network requests signal and digital certificate certificate, when described control module is carried out discriminance analysis to described certificate of certification and is judged as when effective, according to the described virtual net parameter list of described network requests signal change, described port dynamic assignment is arrived the network corresponding virtual net of selecting with the user.
4, according to the described method of claim 3, it is characterized in that, the certificate of certification that described terminal sends to described control module is disposable dynamic authentication certificate, described control module can be beamed back a new certificate of certification for using its next time to described terminal after the described certificate of certification of judgement is legal.
According to the described method of claim 4, it is characterized in that 5, described certificate can be included in the internal or external memory device.
6, according to the described method of claim 1, it is characterized in that, the step that also comprises following timing monitoring: described control module is regularly monitored the network connection state of described terminal, when detecting the described network connection state of stating terminal and change, with the current virtual net disconnection that is connected of described port and its.
According to the described method of claim 6, it is characterized in that 7, described timing monitoring may further comprise the steps:
Described terminal regularly sends the monitoring features sign indicating number to described control module;
When regularly not receiving that condition code of being sent by described terminal or the condition code of being received are illegal, described control module disconnects described port by revising the virtual net parameter list of described network exchange formula hub with the current virtual net that is connected.
8, method according to claim 7 is characterized in that, the monitoring features sign indicating number that same terminal sends changes by same rule at every turn, and the timing monitoring features sign indicating number that different terminals sends changes by different separately rules at every turn.
9, method according to claim 7 is characterized in that, the time interval of described timed sending monitoring features sign indicating number is the 50-300 millisecond.
10, according to each described method among the claim 1-9, it is characterized in that, described network exchange formula hub dynamically is divided into and is respectively applied for three virtual nets that connect Intranet, outer net and control module, wherein, described and Intranet corresponding virtual Netcom crosses its public port and is connected to internal lan, and described and outer net corresponding virtual Netcom crosses its public port and is connected to external the Internet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011277076A CN1180359C (en) | 2001-08-01 | 2001-08-01 | Control method of network connection and separation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011277076A CN1180359C (en) | 2001-08-01 | 2001-08-01 | Control method of network connection and separation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1400540A true CN1400540A (en) | 2003-03-05 |
| CN1180359C CN1180359C (en) | 2004-12-15 |
Family
ID=4667629
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB011277076A Expired - Fee Related CN1180359C (en) | 2001-08-01 | 2001-08-01 | Control method of network connection and separation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1180359C (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004114605A1 (en) * | 2003-06-20 | 2004-12-29 | Zte Corporation | A method for ethernet network service safety isolation |
| CN100563249C (en) * | 2006-01-18 | 2009-11-25 | 中国科学院计算技术研究所 | The trace to the source construction method of formula global network security system of a kind of minute territory |
| CN102055765A (en) * | 2010-12-30 | 2011-05-11 | 恒生电子股份有限公司 | Network communication system |
| CN102546690A (en) * | 2010-12-16 | 2012-07-04 | 中华电信股份有限公司 | Device and method for switching network addresses |
| CN102868641A (en) * | 2012-08-29 | 2013-01-09 | 上海斐讯数据通信技术有限公司 | Method for controlling WAN (wide area network) end of router to be connected to or disconnected from Internet |
| CN103685080A (en) * | 2012-09-26 | 2014-03-26 | 上海斐讯数据通信技术有限公司 | Switch, wide area network connection system, network and wide area network connection control method |
| CN103595789B (en) * | 2013-11-14 | 2016-09-21 | 国家电网公司 | A kind of wireless security electric power file sharing devices based on WIFI |
| CN107155182A (en) * | 2016-03-03 | 2017-09-12 | 深圳市多尼卡电子技术有限公司 | A kind of method and apparatus of protection main cabin WiFi network safety |
| CN113259305A (en) * | 2020-02-13 | 2021-08-13 | 山东亚华电子股份有限公司 | Intranet and extranet communication method and device |
-
2001
- 2001-08-01 CN CNB011277076A patent/CN1180359C/en not_active Expired - Fee Related
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004114605A1 (en) * | 2003-06-20 | 2004-12-29 | Zte Corporation | A method for ethernet network service safety isolation |
| CN100463440C (en) * | 2003-06-20 | 2009-02-18 | 中兴通讯股份有限公司 | Method for ethernet service safety isolation |
| CN100563249C (en) * | 2006-01-18 | 2009-11-25 | 中国科学院计算技术研究所 | The trace to the source construction method of formula global network security system of a kind of minute territory |
| CN102546690A (en) * | 2010-12-16 | 2012-07-04 | 中华电信股份有限公司 | Device and method for switching network addresses |
| CN102055765A (en) * | 2010-12-30 | 2011-05-11 | 恒生电子股份有限公司 | Network communication system |
| CN102868641A (en) * | 2012-08-29 | 2013-01-09 | 上海斐讯数据通信技术有限公司 | Method for controlling WAN (wide area network) end of router to be connected to or disconnected from Internet |
| CN103685080A (en) * | 2012-09-26 | 2014-03-26 | 上海斐讯数据通信技术有限公司 | Switch, wide area network connection system, network and wide area network connection control method |
| CN103595789B (en) * | 2013-11-14 | 2016-09-21 | 国家电网公司 | A kind of wireless security electric power file sharing devices based on WIFI |
| CN107155182A (en) * | 2016-03-03 | 2017-09-12 | 深圳市多尼卡电子技术有限公司 | A kind of method and apparatus of protection main cabin WiFi network safety |
| CN107155182B (en) * | 2016-03-03 | 2020-12-11 | 深圳市多尼卡电子技术有限公司 | Method and device for protecting safety of cabin WiFi network |
| CN113259305A (en) * | 2020-02-13 | 2021-08-13 | 山东亚华电子股份有限公司 | Intranet and extranet communication method and device |
| CN113259305B (en) * | 2020-02-13 | 2022-07-12 | 山东亚华电子股份有限公司 | Intranet and extranet communication method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1180359C (en) | 2004-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102255903B (en) | Safety isolation method for virtual network and physical network of cloud computing | |
| EP2204948B1 (en) | Apparatus, system and method for managing subscription requests for configuring a network interface component | |
| US20080140811A1 (en) | Method and apparatus for a host controller operations over a network | |
| CN114070723B (en) | Virtual network configuration method and system of bare metal server and intelligent network card | |
| CN101001177A (en) | Single logical network interface for advanced load balancing and fail-over functionality | |
| CN1180359C (en) | Control method of network connection and separation | |
| US20110314087A2 (en) | Communication method and apparatus | |
| US5930258A (en) | Structure for an electronic data system | |
| CN103067242A (en) | Virtual machine system used for providing network service | |
| CN110301125B (en) | Logical port authentication for virtual machines | |
| US20050021654A1 (en) | Simultaneous sharing of storage drives on blade center | |
| CN1299471C (en) | Broadband insertion server testing gating and testing method | |
| WO2007054447A1 (en) | Method for controlling mobile data connection through usb ethernet management | |
| CN115002803B (en) | Terminal management method and device and electronic equipment | |
| CN116455985A (en) | Distributed service system, method, computer equipment and storage medium | |
| CN1152331C (en) | System for ensuring computer network information safety and corresponding method thereof | |
| JP2017063336A (en) | Network control device and network control method | |
| CN113014565B (en) | Zero trust architecture for realizing port scanning prevention and service port access method and equipment | |
| CN105763661A (en) | Network protocol IP address obtaining method and communication equipment | |
| Cisco | System Configuration | |
| EP3028430B1 (en) | System allowing access to defined addresse after check with access-list | |
| Cisco | System Configuration | |
| US6111884A (en) | Method for using logical link control (LLC) to route traffic within a router | |
| CN109451047A (en) | Data transferring method, device, equipment and the storage medium of monitoring warning system | |
| WO2024125460A1 (en) | Communication processing method and apparatus, and device, system and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C19 | Lapse of patent right due to non-payment of the annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |