CN1630252A - Broadband IP access equipment and method for realizing user log in same equipment - Google Patents
Broadband IP access equipment and method for realizing user log in same equipment Download PDFInfo
- Publication number
- CN1630252A CN1630252A CN 200310124111 CN200310124111A CN1630252A CN 1630252 A CN1630252 A CN 1630252A CN 200310124111 CN200310124111 CN 200310124111 CN 200310124111 A CN200310124111 A CN 200310124111A CN 1630252 A CN1630252 A CN 1630252A
- Authority
- CN
- China
- Prior art keywords
- user
- source
- daily record
- ucl
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
This invention discloses a method for realizing user journal in wide band IP access equipment with access control list (ACL), which contains the source sending access request, IP access equipment inquiring source user access right and journal property from ACL according to source IP address and destination IP address, establishing user stream, judging whether recording source user journal information, if recording then reporting and recording relative information in user stream, otherwise not to make journal to source user.
Description
Technical field
The present invention relates to network technology, relate in particular to a kind of broadband IP access device and reach the method that in this equipment, realizes user journal.
Background technology
At present networks development not only make people normally associate, link up more efficiently, also made things convenient for the circulation of some flames simultaneously.The circulation of flame in network, tracing it to its cause is that the interconnection, particularly Internet of network make the behavior of people on network be in certain anonymous state greatly.
In the broadband IP access product, do not have at present the function of similar recording user internet information, can't obtain comparatively detailed user's internet information, can't carry out effective supervision and management for the illegal website of user capture.
Summary of the invention
The object of the present invention is to provide a kind of broadband IP access device to reach the method that in this equipment, realizes user journal, so that can the behavior of user on network manage and supervise.
Realize technical scheme of the present invention:
A kind of method that realizes user journal in the broadband IP access device has access control list (ACL) in this broadband IP access device; This method is:
Source user is initiated access request;
The broadband IP access device is at least according to source IP address and purpose IP address query source user's from ACL access rights and daily record attribute;
The broadband IP access device is set up user stream, and whether writes down the log information of source user according to the daily record determined property, if, then the relevant information that comprises in user's stream is reported and log information, otherwise, source user is not done daily record.
According to said method:
When the website of customer access network side, query source user's daily record attribute from UCL, when other users of user capture from IGAT query source user's daily record attribute.
To use UCL and have identical access rights and the user of daily record attribute forms User Control List group (UCL Group), by UCL Group and the rule (Rule) number that is used to be provided with access control right as the UCL key assignments of tabling look-up, by whether allowing to visit and whether allow the action of log as table; When source user accesses network side website, earlier obtain UCL Group under this user according to source IP address, obtain rule number according to purpose IP address, number from UCL, obtain user's access rights and daily record attribute according to this UCL Group and rule.
The network range that described rule correspondence is divided with " IP address+matching number ".
With use IGAT and have identical access rights and user's composition group of daily record attribute between access control group (Inter Group), by source Inter Group and purpose Inter Group the key assignments of tabling look-up, by whether allowing to visit and whether allow the action of log as table as IGAT; When source user is visited other users, obtain source Inter Group according to source IP address earlier, obtain purpose Inter Group according to purpose IP address, from IGAT, obtain user's access rights and daily record attribute according to source, purpose Inter Group.
The user journal information that reports is stored in buffer area, by triggering the user journal information of buffer area is write in the dayfile of server.
User journal information comprises user name, source MAC, Virtual Private Network sign, source IP address, purpose IP address and builds the stream time.
A kind of broadband IP access device with journal function comprises processor and memory, wherein also comprises:
Command module is used for arranging access control list and user journal functional parameter;
The flow management module is used to set up user's stream, judges whether the recording user daily record simultaneously and will need the user's of log information stream information to report;
Business module is used for managing user information, provide interface to command module with configure user access rights and daily record attribute;
Backup module, user's stream information that the recorded stream administration module reports, and with the user journal information back-up to file server.
The present invention provides the function of user's internet log on the broadband IP access device, make the network management personnel in the details that can obtain user's online under this access device under the situation that does not need other auxiliary devices easily, thus the online situation of effective supervision and leading subscriber.
Description of drawings
Fig. 1 is the modular structure figure that realizes user journal in the broadband IP access device;
Fig. 2 is for setting up professional schematic flow sheet;
Fig. 3 is the user journal exemplary plot.
Embodiment
In the broadband IP access device, has the access control list (ACL) that constitutes by grouping exchanging visit control tabulation (IGAT) and User Control List (UCL).Use UCL when the user conducts interviews to the network side website, the user uses IGAT during to other user access.
In order to realize the user journal function, access device also comprises with lower module except having basic modules such as processor and memory:
1, flow management module: set up user's stream, and needing the user's of recording internet daily record stream information to be uploaded to the Log backup module.
The flow management module determines whether that according to configuration parameter uploading the user to the user journal backup module builds stream information, and the stream information of building to needs is uploaded to the Log backup module by function interface.
2, command module: configuration ACL and user journal functional parameter.
Configuration ACL comprises User Control List (UCL) and grouping exchanging visit control tabulation (IGAT), and is handed down to the flow management module.Configure user journal function parameter comprises opening/closing, the backup mode of user journal function, IP address of principal and subordinate FTP backup server etc.
3, backup module: user's stream information that the recorded stream administration module is uploaded, and with the user journal information back-up to external server.
According to user's stream information that flow management is uploaded, the details of obtaining the user from professional administration module form user journal information, record the memory block.Two block storages of managed storage user journal information provide backup mode backup user journals such as timing, quantitative (can not set) and manual backup to external server.Backup module also can be supported principal and subordinate TFTP backup server.
4, business module: managing user information provides UCL-Group and the Intergroup attribute of interface to the command module configure user; The query interface of user profile is provided for the business diary module.
In the present invention, access device can write down all users' user journal, also can write down specific user's user journal, and layoutprocedure is as follows:
For all users' of record user journal, enter the user journal configuration mode by " user log " order; Use " active user-log all " orders starting log function, and determine all users' of record internet log; Dispose other user journal functional parameter then.
For record specific user's user journal by following operation:
1, enters the user journal configuration mode by " user log " order;
2, as using " active user-log all " orders, then start all users' of record internet log function; Use " active user-log auto " order, then start the function that only writes down the internet log that satisfies the access control list (ACL) appointment.
3, by the customer service configuration order, configuration needs access control group (Inter Group) between the User Control List group (UCL Group) of log and group.
InterGroup will use IGAT and have identical access rights and the user of daily record attribute is divided into the group id of a group; UCLGroup will use UCL and have identical access rights and the user of daily record attribute is divided into the group id of a group.
4, configuration rule (Rule)
Rule is meant the network range of dividing with " IP address+matching code " form, and the object of access control right is set as UCL-GROUP.
5, the user journal attribute of configuration ACL.
ACL comprises User Control List (UCL) and grouping exchanging visit control tabulation (IGAT) two kinds.User Control List (UCL) has been formed the strong value of tabling look-up by UCL-GROUP+Rule, by whether allow visit (permit/deny), attribute such as log has been formed the action of showing, whether can be used to control the user accesses network side website, log etc.And grouping exchanging visit control tabulation (IGAT) is formed the strong value of tabling look-up by source InterGroup+ purpose InterGroup, equally by the action that whether allows to visit, attribute such as log is formed table, can be used to control the user calling party, log etc. whether.In the system originally with through there being the ACL of an acquiescence.
Consult shown in Figure 2ly, the handling process of recording user log information is as follows:
When (1) as the user certain network side website being initiated visit, the flow management module at first will be set up user's stream of customer access network.Before building stream, the flow management module is obtained user's UCL-GROUP and InterGroup according to source IP address searching user's information table.According to purpose IP address lookup user message table, can not find out user's information simultaneously, then inquiry Rule table, Rule number of obtaining coupling.The strong value of forming according to UCL-GROUP and Rule number is then searched the UCL of coupling in the ACL table.If do not find the UCL of configuration, then adopt the ACL of system default.Then according in the UCL that finds or the default acl action whether the permission access attribute is set up the user allows (permit) stream or refusal (deny) stream.If pre-configured is all users' of record daily record, then directly can determine to write down this user journal; If top step 2 configuration is the record particular log, then determine whether log according to the user journal attribute in UCL that finds or the default acl action.If the front is determined to write down this daily record, then user profile table index, source IP address, purpose IP address, build information such as stream time and report the Log backup module, by this user's internet log information under the Log backup module records.
When (2) as the user another user being initiated to visit, the flow management module at first will be set up user's stream of user capture user.Before building stream, the flow management module is obtained user's UCL-GROUP and InterGroup according to source IP address searching user's information table.According to purpose IP address lookup user message table, found user's UCL-GROUP and InterGroup simultaneously.The strong value of forming according to source InterGroup and purpose InterGroup is then searched the IGAT of coupling in the ACL table.If do not find the IGAT of configuration, then adopt the ACL of system default.Then according in the IGAT that finds or the default acl action whether the permission access attribute is set up user permit stream or deny stream.If configuration is all users' of record daily record, then directly can determine to write down this user journal; If configuration is the record particular log, then determine whether log according to the user journal attribute in the action of IGAT that finds or default acl.If the front is determined to write down this daily record, then user profile table index, source IP address, purpose IP address, build information such as stream time and report the Log backup module, by this user's internet log information under the Log backup module records.
Log backup resume module flow process is as follows:
Backup module receive that the flow management module provides the user profile table index, to user name, source MAC, the VlanID etc. of service management module inquiring user, and above all information are directly write the memory block.Memory partitioning is two, and timer expiry triggers backup when full or timed backup are write in a memory block, backups to external server by TFTP.The information of back will be write another piece memory block.The Event origin that triggers backup has three: completely trigger manual triggers, memory block and the timed backup timer expiry triggers.Manual triggers is that the user carries out manual backup command by order line; Completely trigger the memory block is will trigger backup after a memory block is write completely; It is the function that the user uses timed backup that timer triggers, and the timing of setting whenever the user one backs up to triggering once.After the loading backup tasks is received the incident that triggers the backup user journal, backup operation is carried out in the address of directly taking log store district, family, do not carry out the format conversion of information, the file that backups to external server is a binary type.Consider the speed of backup, only use the TFTP mode.Backup module both can backup to external server by the outer network interface of the band of device-specific by out-band channel, also backuped to external server by in-band channel by business interface, by order line configuration decision.
After user journal backed up to TFTP (generic-document host-host protocol) server, watch user journal example as shown in Figure 3 by user journal dedicated analysis instrument.
The present invention can note the information of certain user's online on request, has increased the supervision and oversight means of network management personnel to the user, can guarantee the normal use of network.
Claims (10)
1, a kind of method that realizes user journal in the broadband IP access device has access control list (ACL) in this broadband IP access device; It is characterized in that this method is:
Source user is initiated access request;
The broadband IP access device is at least according to source IP address and purpose IP address query source user's from ACL access rights and daily record attribute;
The broadband IP access device is set up user stream, and whether writes down the log information of source user according to the daily record determined property, if, then the relevant information that comprises in user's stream is reported and log information, otherwise, source user is not done daily record.
2, the method for claim 1, it is characterized in that, when the website of customer access network side, query source user's daily record attribute from the User Control List (UCL) of ACL, when other users of user capture from the exchange visits daily record attribute of query source user the control tabulation (IGAT) of the grouping of ACL.
3, method as claimed in claim 2 is characterized in that, before inquiry UCL or IGAT, judges whether all users are done daily record according to the configuration item among the ACL earlier, if then directly the user is made log processing; Otherwise inquiry UCL or IGAT determine whether the user is done daily record.
4, method as claimed in claim 2, it is characterized in that, to use UCL and have identical access rights and the user of daily record attribute forms User Control List group (UCL Group), by UCL Group and the rule (Rule) number that is used to be provided with access control right as the UCL key assignments of tabling look-up, by whether allowing to visit and whether allow the action of log as table; When source user accesses network side website, earlier obtain UCL Group under this user according to source IP address, obtain rule number according to purpose IP address, number from UCL, obtain user's access rights and daily record attribute according to this UCLGroup and rule.
5, method as claimed in claim 4 is characterized in that, the network range that described rule correspondence is divided with " IP address+matching number ".
6, method as claimed in claim 2, it is characterized in that, with use IGAT and have identical access rights and user's composition group of daily record attribute between access control group (Inter Group), by source Inter Group and purpose Inter Group the key assignments of tabling look-up, by whether allowing to visit and whether allow the action of log as table as IGAT; When source user is visited other users, obtain source Inter Group according to source IP address earlier, obtain purpose Inter Group according to purpose IP address, from IGAT, obtain user's access rights and daily record attribute according to source, purpose Inter Group.
As the arbitrary described method of claim 1 to 6, it is characterized in that 7, the user journal information that reports is stored in buffer area, the user journal information of buffer area is write in the journal file of server by triggering.
8, method as claimed in claim 7 is characterized in that, described triggering is that buffer area completely triggers, timed backup triggers or manual triggers.
9, require 1 described method as claim, it is characterized in that, user journal information comprises user name, source MAC, Virtual Private Network sign, source IP address, purpose IP address and builds the stream time.
10, a kind of broadband IP access device with journal function comprises processor and memory, it is characterized in that also comprising:
Command module is used for arranging access control list and user journal functional parameter;
The flow management module is used to set up user's stream, judges whether the recording user daily record simultaneously and will need the user's of log information stream information to report;
Business module is used for managing user information, provide interface to command module with configure user access rights and daily record attribute;
Backup module, user's stream information that the recorded stream administration module reports, and with the user journal information back-up to file server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200310124111 CN1630252A (en) | 2003-12-16 | 2003-12-16 | Broadband IP access equipment and method for realizing user log in same equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200310124111 CN1630252A (en) | 2003-12-16 | 2003-12-16 | Broadband IP access equipment and method for realizing user log in same equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1630252A true CN1630252A (en) | 2005-06-22 |
Family
ID=34844935
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200310124111 Pending CN1630252A (en) | 2003-12-16 | 2003-12-16 | Broadband IP access equipment and method for realizing user log in same equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1630252A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007140686A1 (en) * | 2006-06-07 | 2007-12-13 | Huawei Technologies Co., Ltd. | A method, system and device for reporting the user agent profile information |
| CN100420240C (en) * | 2006-03-30 | 2008-09-17 | 华为技术有限公司 | Multi-cast broadcasting popedom controlling method |
| CN101163265B (en) * | 2007-11-20 | 2010-08-18 | 中兴通讯股份有限公司 | Distributed database based on multimedia message log inquiring method and system |
| CN102065416A (en) * | 2009-11-18 | 2011-05-18 | 成都市华为赛门铁克科技有限公司 | Method, device and system for formatting logs |
| CN102318314A (en) * | 2011-07-29 | 2012-01-11 | 华为技术有限公司 | Method and devices for handling access authorities |
| CN101252592B (en) * | 2008-04-14 | 2012-12-05 | 工业和信息化部电信传输研究所 | Method and system for tracing network source of IP network |
| CN102930207A (en) * | 2012-04-27 | 2013-02-13 | 北京金山安全软件有限公司 | API log monitoring method and device |
| CN107103216A (en) * | 2011-03-25 | 2017-08-29 | 株式会社野村综合研究所 | Business information protector |
-
2003
- 2003-12-16 CN CN 200310124111 patent/CN1630252A/en active Pending
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100420240C (en) * | 2006-03-30 | 2008-09-17 | 华为技术有限公司 | Multi-cast broadcasting popedom controlling method |
| US8924463B2 (en) | 2006-06-07 | 2014-12-30 | Huawei Technologies Co., Ltd. | Method, system and device for reporting user agent profile information |
| CN101313544B (en) * | 2006-06-07 | 2013-04-17 | 华为技术有限公司 | Method, system and apparatus for uploading user proxy archive information |
| WO2007140686A1 (en) * | 2006-06-07 | 2007-12-13 | Huawei Technologies Co., Ltd. | A method, system and device for reporting the user agent profile information |
| US8620992B2 (en) | 2006-06-07 | 2013-12-31 | Huawei Technologies Co., Ltd. | Method, system and device for reporting user agent profile information |
| CN101163265B (en) * | 2007-11-20 | 2010-08-18 | 中兴通讯股份有限公司 | Distributed database based on multimedia message log inquiring method and system |
| CN101252592B (en) * | 2008-04-14 | 2012-12-05 | 工业和信息化部电信传输研究所 | Method and system for tracing network source of IP network |
| CN102065416B (en) * | 2009-11-18 | 2014-11-19 | 成都市华为赛门铁克科技有限公司 | Method, device and system for formatting logs |
| CN102065416A (en) * | 2009-11-18 | 2011-05-18 | 成都市华为赛门铁克科技有限公司 | Method, device and system for formatting logs |
| CN107103216B (en) * | 2011-03-25 | 2020-08-25 | 株式会社野村综合研究所 | Service information protection device |
| CN107103216A (en) * | 2011-03-25 | 2017-08-29 | 株式会社野村综合研究所 | Business information protector |
| WO2012109854A1 (en) * | 2011-07-29 | 2012-08-23 | 华为技术有限公司 | Access permission control method and device |
| CN102318314B (en) * | 2011-07-29 | 2013-09-11 | 华为技术有限公司 | Method and devices for handling access authorities |
| CN102318314A (en) * | 2011-07-29 | 2012-01-11 | 华为技术有限公司 | Method and devices for handling access authorities |
| CN102930207A (en) * | 2012-04-27 | 2013-02-13 | 北京金山安全软件有限公司 | API log monitoring method and device |
| CN102930207B (en) * | 2012-04-27 | 2015-11-04 | 北京金山安全软件有限公司 | API log monitoring method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2417417C2 (en) | Real-time identification of resource model and resource categorisation for assistance in protecting computer network | |
| CN109286676B (en) | Electric power data safety information system based on block chain | |
| US20080189543A1 (en) | Method and system for reducing a size of a security-related data object stored on a token | |
| US20030004950A1 (en) | Integrated procedure for partitioning network data services among multiple subscribers | |
| CN101188557B (en) | Method, client, server and system for managing user network access behavior | |
| CN103581363A (en) | Method and device for controlling baleful domain name and illegal access | |
| US20050108257A1 (en) | Emergency access interception according to black list | |
| JP2000174807A (en) | Method and system for attribute path of multi-level security for stream and computer program product | |
| CN1194502C (en) | System and method for managing access authority of network users | |
| CN1874254A (en) | Method for browsing data based on structure of client end / server end | |
| CN113051570B (en) | Server access monitoring method and device | |
| CN1804831A (en) | Network cache management system and method | |
| US6993577B2 (en) | System and method for migration of subscriber data | |
| CN1630252A (en) | Broadband IP access equipment and method for realizing user log in same equipment | |
| CN1411209A (en) | Method of detecting and monitoring malicious user host machine attack | |
| CN1852263A (en) | Message access controlling method and a network apparatus | |
| CN1521993A (en) | Network control method and equipment | |
| CN1809108A (en) | Filter based call ticket memory repetition elimination method | |
| CN1360261A (en) | By-pass intercepting and reducing method for database access | |
| CN1503952A (en) | Method and system for restricting access from external | |
| US9363231B2 (en) | System and method for monitoring network communications originating in monitored jurisdictions | |
| CN115952146A (en) | File management system applied to key information supervision of direct-current control protection device | |
| CN1859384A (en) | Method for controlling user's message passing through network isolation device | |
| CN1822565A (en) | Network with MAC table overflow protection | |
| CN1099783C (en) | Network conference system capable of supporting several protocols |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20050622 |