CN1638330A - System and method for providing arresting service to harmful website connection - Google Patents

System and method for providing arresting service to harmful website connection Download PDF

Info

Publication number
CN1638330A
CN1638330A CNA2004100031928A CN200410003192A CN1638330A CN 1638330 A CN1638330 A CN 1638330A CN A2004100031928 A CNA2004100031928 A CN A2004100031928A CN 200410003192 A CN200410003192 A CN 200410003192A CN 1638330 A CN1638330 A CN 1638330A
Authority
CN
China
Prior art keywords
subscriber
harmful site
service
obstruction
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2004100031928A
Other languages
Chinese (zh)
Inventor
金成国
吴采炯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLANTY-NET Ltd
Original Assignee
PLANTY-NET Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLANTY-NET Ltd filed Critical PLANTY-NET Ltd
Publication of CN1638330A publication Critical patent/CN1638330A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Technology Law (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed is a system and method for providing a service of blocking connection to harmful sites, which employs both a tunneling protocol and a packet mirroring mode. When the connection blocking service is selectively provided to Internet users, a tunneling protocol such as L2TP (layer 2 tunneling protocol), GRE (generic routing encapsulation), MPLS (multi protocol label switching) or IPSec (IP security) is employed to effectively prevent connection to harmful sites such as sexual or gambling sites at the request of users. Accordingly, the Internet users are classified into subscribers and non-subscribers of the connection blocking service to implement the harmful site connection blocking function. When a malfunction occurs in the system due to an overload of the system, a packet mirroring mode, which has no influence on the network load, is activated to provide the connection blocking service.

Description

Be used to provide the system and method for harmful site connection blocking service
Technical field
The present invention relates to by using tunnel protocol, bag mirror image pattern and ACL (AccessControl List, access control list) provides the system and method for harmful site connection blocking service, relate in particular to a kind of system and method that the harmful site connection blocking service is provided, wherein adopt tunnel protocol and bag mirror image pattern to provide the harmful site connection blocking service, provide general internet to serve simultaneously to other users that are not authenticated to be the subscriber to the user who is authenticated to be service subscriber.
Background technology
Fig. 1 illustrates and is used for the structure that harmful site connects the legacy system that stops.To describe traditional connection referring to this figure now and stop system.
All flow signals (traffic signal) all route by the L4 switch in the obstruction system (layer 4 switch, the 4th layer switch) 30.Under situation the about subscriber 20 of harmful site connection blocking service and non-subscriber 10 not being distinguished, the L4 switch 30 in the high speed internet flow input obstruction system.After subscriber 20 and non-subscriber 10 are distinguished, non-subscriber's flow directly is coupled or is connected to the Internet, flow with subscriber 20 offers obstruction server 40a and 40b simultaneously, is connected to the Internet after the rule of definition is filtered in according to L4 switch 30 then.
Owing in the process that the harmful site connection blocking service is provided, do not distinguish subscriber 20 and non-subscriber 10, thereby owing to cause a large amount of loads on L4 switch 30, this system may break down.
Just, have following problem in the prior art, do not distinguish the subscriber and the non-subscriber of the service of obstruction because the service of obstruction is provided, all flows all concentrate on the L4 switch 30, so caused huge load on L4 switch 30.
Summary of the invention
Therefore, the present invention has been proposed considering under the situation of the problems referred to above, one of purpose of the present invention provides a kind of system and method that is used to provide the harmful site connection blocking service, wherein adopt tunnel protocol that the subscriber's of connection blocking service the flow flow with non-subscriber is separated, thereby with the coupling of non-subscriber's flow or be connected to the Internet, and only subscriber's flow is accumulated in a position, and allow it by the obstruction system, connection blocking service wherein be provided but do not influenced Internet user's flow, even and the obstruction system break down and the problem of internet usage also can not occur being difficult to.
According to an aspect of the present invention, by the system that stops the service that harmful site is connected based on tunnel protocol and bag mirror image pattern is provided, realized above-mentioned and other purpose, this system comprises: NAS (Network Access Server, network access server), this NAS is used to check the user ID about connection blocking service, and user ID is divided into the subscriber ID and the non-subscriber ID of connection blocking service, correspondingly carries out Route Selection; Certificate server, this certificate server are used to authenticate high speed internet user's ID and connection blocking service subscriber's ID; Router, this router is used for transmitting the internet traffic that receives from NAS based on tunnel protocol, wherein this tunnel protocol comprises following at least a: L2TP (Layer 2 TunnelingProtocol, Level 2 Tunnel Protocol), GRE (Generic Routing Encapsulation, generic route encapsulation) tunnel protocol, MPLS (Multi Protocol Label Switching, the multi protocol label exchange) tunnel protocol and IPSec (IP Security, IP safety) tunnel protocol; And obstruction system with harmful site connection obstruction function.
According to a further aspect in the invention, provide the method that is used to provide the harmful site connection blocking service, may further comprise the steps: a) add the harmful site connection blocking service, and the subscriber ID of distribution services, attempt to visit the system that this service is provided then; B) if the high speed internet user ID obtains authentication, in certificate server, check the subscriber ID and the non-subscriber ID of service, if it can not be certified, then do not allow access internet; C) have under the situation of subscriber ID of service the user, if the user capture harmful site is then by adopting tunnel scheme to send " visit stops " message to user, if the user does not visit harmful site, then allow user to view Internet, stop this method then or return step a); D) if cause the system failure owing to system overload during adopting tunnel scheme, system is difficult to operate as normal, then activates the bag mirror image pattern; And e) if the user has non-subscriber ID, then allows user to view Internet, and stop this method.
Description of drawings
In conjunction with the accompanying drawings, according to following detailed description, will more be expressly understood above and other objects of the present invention, characteristics and other advantage.In the accompanying drawings:
Fig. 1 illustrates and is used for the block diagram that harmful site connects the conventional system architecture that stops;
Fig. 2 illustrates the block diagram that is used to provide the network configuration of harmful site connection blocking service according to of the present invention, and described network configuration adopts L2TP (Layer 2 Tunneling Protocol, Level 2 Tunnel Protocol);
Fig. 3 illustrates the block diagram that is used to provide the network configuration of harmful site connection blocking service according to of the present invention, and described network configuration adopts GRE (Generic RoutingEncapsulation, generic route encapsulation) tunnel protocol;
Fig. 4 illustrates the block diagram that is used to provide the network configuration of harmful site connection blocking service according to of the present invention, and described network configuration adopts MPLS (Multi Protocol LabelSwitching, multi protocol label exchange) tunnel protocol;
Fig. 5 illustrates the block diagram that is used to provide the network configuration of harmful site connection blocking service according to of the present invention, and described network configuration adopts IPSec (IP Security, IP safety) tunnel protocol;
Fig. 6 illustrates the system configuration that is used to provide the harmful site connection blocking service according to of the present invention, and described system works under the bag mirror image pattern;
Fig. 7 illustrates the network configuration that is used to provide the harmful site connection blocking service according to of the present invention, and described network is worked under the bag mirror image pattern and adopted the L3 switch;
Fig. 8 illustrates the flow chart that is used to provide the method for harmful site connection blocking service according to of the present invention; And
Fig. 9 illustrates when harmful website and stops system because when adopting tunnel scheme when system overload and cisco unity malfunction, according to the flow chart that is used to provide the method for harmful site connection blocking service of the present invention.
Embodiment
To the preferred embodiments of the present invention be described referring to accompanying drawing now.
At first, with the basic conception of describing according to tunnel protocol of the present invention.Tunneling technique can be defined as: be a kind ofly between transmitter and receiver, to get out the tunnel, thereby between them, create the technology of the cryptochannel that is used to prevent that the third party from visiting.According to this tunneling technique, will transmit from transmitter after the data encapsulation, thereby make the other party that is different from transmitter can not discern these data.
Tunnel scheme can hold any payload, and allows a lot of users to visit various types of payload simultaneously, can also carry out multi-protocols and handle and safety certification, and high security or integrity service are provided.
In the present invention, such tunnel protocol comprises: L2TP (Layer 2 TunnelingProtocol, Level 2 Tunnel Protocol); GRE (Generic Routing Encapsulation, generic route encapsulation) tunnel protocol; MPLS (Multi Protocol Label Switching, multi protocol label exchange) tunnel protocol; And IPSec (IP Security, IP safety) tunnel protocol.Be used to realize being used to provide the system of harmful site connection blocking service.
Fig. 2 illustrates the block diagram that is used for providing based on L2TP the system configuration of harmful site connection blocking service according to of the present invention.As shown in this figure, be used to provide the system of this service to comprise: network access server (NAS) 120, certificate server 130, router one 40, router or LNS (the Level 2 Tunnel Protocol webserver) 140-1 and harmful site stop system 150.The user ID that this network access server 120 is checked about the harmful site connection blocking service, and user ID is divided into subscriber ID 110 (being the object of harmful site connection blocking service) and non-subscriber ID 100, correspondingly carry out Route Selection then.The authentication that certificate server 130 is carried out the subscriber ID of high speed internet user ID and harmful site connection blocking service.Router one 40 and 140-1 carry out the Route Selection (routing) that is used for internet traffic.Obstruction system 150 plays the effect that harmful site connects that stops.To describe in detail referring to Fig. 2 now is used to provide harmful site to stop the system of service.
Each network access server 120 all will send LNS (the Level 2 Tunnel Protocol webserver) 140-1 to by L2TP (Level 2 Tunnel Protocol) tunnel as the flow of the user ID that stops the service object, and LNS 140-1 sends to obstruction system 150 with this flow.
When the internet access user has asked obstruction to be connected to harmful site and to attempt access internet, network access server 120 is the subscriber that harmful site stops service by certificate server 130 with authentification of user, and correspondingly carries out the transmission of obstruction system 150 by LNS 140-1.During this process, between NAS 120 and LSN 140-1, create L2TP Tunnel, wherein subscriber's flow sends by this L2TP Tunnel.
If the internet access user is not the subscriber that harmful site stops service, attempt access internet, then access server (NAS) 120 is not to be the subscriber that harmful site stops service by certificate server 130 with authentification of user, allows the user to pass through another router internet usage service or all purpose communication service then.
Particularly, be positioned at network access server (NAS) that POP (Point Of Presence, POP) locates and receive and send subscriber's flow, and the flow that will receive from the Internet gathering and be transferred to the subscriber with point-to-point form.Activate L2TP (Level 2 Tunnel Protocol) function at the access server place, so that access server is worked as LAC (Level 2 Tunnel Protocol LAC).The router that is used for LNS is connected to the NAS that plays the LAC effect by L2TP Tunnel, and routing server plays the effect of the termination system of LAC.This termination system is corresponding to above-mentioned LNS.
Certificate server (RADIUS) 130 has the function of authentication Internet service user's ID and connection blocking service user's ID.Harmful site connects obstruction system 150 and comprises L4 switch 151 and stop server 152, stops function in order to carry out to connect.
As mentioned above, be used to provide the system of harmful site connection blocking service to adopt L2TP, NAS 120 be used as LAC, and allow router one 40-1 to play the effect of LNS.Therefore, harmful site obstruction system is connected to or is applied to LNS.After the ID as the object of harmful site connection blocking service obtains authentication, its data are transmitted by the L2TP Tunnel between NAS and the LNS, thereby send the data to the obstruction system.
Fig. 3 illustrates the block diagram according to the structure of the system that is used to provide the harmful site connection blocking service of the present invention, and described system adopts GRE (generic route encapsulation) tunnel protocol.As shown in this figure, be used to provide the system of this service to comprise that network access server (NAS) 120a, certificate server 130, router one 40, router (GRE terminal point) 140-1 and harmful site stop system 150.This NAS 120a checks user ID with respect to the harmful site connection blocking service, and user ID is divided into subscriber ID 110 and the non-subscriber ID 100 that obstruction is served, and correspondingly carries out Route Selection (routing) then.The subscriber ID of certificate server 130 authentication high speed internet user ID and harmful site connection blocking service.Router one 40 and 140-1 carry out the transmission to internet traffic.Obstruction system 150 plays the effect that prevents to be connected to harmful site.To describe in detail referring to Fig. 3 now is used to provide harmful site to stop the system of service.
Each network access server (NAS) 120a works as the GRE starting point, and seals the flow of pretending to the subscriber ID that stops the service object with GRE, sends the GRE bag to the GRE terminal point by GRE (generic route encapsulation) tunnel then.GRE end point analysis GRE bag also sends it to obstruction system 150.
When the internet access user has required obstruction to be connected to harmful site and to attempt access internet, network access server 120a is the subscriber that harmful site stops service by certificate server 130 with authentification of user, and correspondingly carries out the transmission of obstruction system 150 by the GRE terminal point.During this process, at the NAS 120a that plays the effect of GRE starting point with play between the router one 40-1 of GRE terminal point effect and create gre tunneling.,, only there is subscriber's upstream flowrate to pass through gre tunneling herein for stopping service, and because the identical passage of non-subscriber of service is used and stopped to downstream flow, so not by gre tunneling and obstruction system 150.
If the internet access user is not the subscriber that harmful site stops service, attempt access internet, then access server (NAS) 120a is not to be the subscriber that harmful site stops service by certificate server 130 with authentification of user, allows the user to pass through router one 40 internet usage services or all purpose communication service then.
As mentioned above, be used to provide the system of harmful site connection blocking service to adopt the gre tunneling agreement, NAS 120a be used as the GRE starting point, and allow router one 40-1 to play the effect of GRE terminal point.Correspondingly, harmful site stops system 150 and is connected to or is applied to the GRE terminal point.After the ID of the object of harmful site connection blocking service obtains authentication, its data are transmitted by the gre tunneling between GRE starting point (or network access server) 120a and the GRE terminal point, thereby send the data to obstruction system 150.
Fig. 4 illustrates the block diagram that is used to provide the system configuration of harmful site connection blocking service according to of the present invention, and this system adopts MPLS (Multi Protocol Label Switching, multi protocol label exchange) tunnel protocol.As shown in this figure, be used to provide the system of this service to comprise: network access server (NAS) 120b, certificate server 130, router one 40, router (MPLS terminal point) 140-2 and harmful site stop system 150.This NAS120b checks the user ID about the harmful site connection blocking service, and user ID is divided into subscriber ID 110 and the non-subscriber ID 100 that obstruction is served, and correspondingly carries out Route Selection then.The subscriber ID of certificate server 130 authentication high speed internet user ID and harmful site connection blocking service.Router one 40 and 140-2 carry out the transmission of internet traffic.Obstruction system 150 is used to prevent to be connected to harmful site.To describe in detail referring to Fig. 4 now is used to provide harmful site to stop the system of service.
Each network access server (NAS) 120b works as the MPLS starting point, and be encapsulated into the MPLS bag as the flow of the subscriber ID that stops the service object, then the MPLS bag is sent to the MPLS terminal point by MPLS (Multi Protocol Label Switching, multi protocol label exchange) tunnel.MPLS end point analysis MPLS bag also sends it to obstruction system 150.
When the internet access user has required obstruction to be connected to harmful site and to attempt access internet, network access server 120b is the subscriber that harmful site stops service by certificate server 130 with authentification of user, and correspondingly carries out the Route Selection of obstruction system 150 by the MPLS terminal point.During this process, creating the MPLS tunnel as the NAS 120b of MPLS starting point work with between as the router one 40-2 of MPLS terminal point work.,, only there is subscriber's upstream flowrate to pass through the MPLS tunnel herein for stopping service, and because the identical passage of non-subscriber of service is used and stopped to downstream flow, so do not pass through MPLS tunnel and obstruction system 150.
If the internet access user is not the subscriber that harmful site stops service, attempt access internet, then access server (NAS) 120b is not to be the subscriber that harmful site stops service by certificate server 130 with authentification of user, allows the user to pass through router one 40 internet usage services or all purpose communication service then.
As mentioned above, be used to provide the system of harmful site connection blocking service to adopt the MPLS tunnel protocol, NAS 120b be used as the MPLS starting point, and allow router one 40-2 to work as the MPLS terminal point.Correspondingly, harmful site stops system 150 and is connected to or is applied to the MPLS terminal point.After the ID of the object of harmful site connection blocking service is authenticated, with its data by the MPLS tunnel transmission between MPLS starting point (or network access server) 120b and the MPLS terminal point, thereby send the data to obstruction system 150.
Fig. 5 illustrates the block diagram according to the structure of the system that is used to provide the harmful site connection blocking service of the present invention, and described system adopts IPSec (IP safety) tunnel protocol.
There are two kinds of patterns that are used for IPSec: tunnel mode and transmission mode.In tunnel mode, IPv4 sealed install in the safe IP frame, so that security information stops system transmissions to another obstruction system from one.In transport model, packaging information is so that be transferred to another terminal point (that is a point on the internal network of being protected by the obstruction system) with it safely from a terminal point.
Use these features of ipsec tunnel agreement, system according to the present invention provides the harmful site connection blocking service, and comprising as shown in Figure 5: network access server (NAS) 120c, certificate server 130, router one 40, router (terminal point is to terminal point) 140-3 and harmful site stop system 150.This NAS 120c checks the user ID about the harmful site connection blocking service, and user ID is divided into subscriber ID 110 and the non-subscriber ID 100 that obstruction is served, and correspondingly carries out Route Selection then.The subscriber ID of certificate server 130 authentication high speed internet user ID and harmful site connection blocking service.Router one 40 and 140-3 carry out the Route Selection to internet traffic.Obstruction system 150 plays the effect that is connected to harmful site that stops.To describe in detail referring to Fig. 5 now is used to provide harmful site to stop the system of service.
Each network access server (NAS) 120c is at first with tunnel mode work; sealing the IPv4 frame of putting into safety by IPv4 as the flow of the subscriber ID that stops the service object; then with transmission mode work; to transmit it to a terminal point (that is, by a point on the internal network that stops system protection).Another end point analysis IPv4 bag also transmits it to obstruction system 150.
When the internet access user has required obstruction to be connected to harmful site and to attempt access internet, network access server (NAS) 120c is the subscriber that harmful site stops service by certificate server 130 with authentification of user, and correspondingly data is transferred to obstruction system 150 via end-to-end point.During this process, subscriber's flow is by the transmission of IPv4 bag, and this IPv4 wraps in as creating with tunnel mode between the NAS 120c of a terminal point job and the router one 40-3 as another terminal point work.Herein, for stopping service, the upstream flowrate that the subscriber is only arranged is by tunnel mode, and downstream flow is owing to the identical passage of non-subscriber that uses and stop service, so not by tunnel mode and obstruction system 150.
If the internet access user is not the subscriber that harmful site stops service, attempt access internet, then access server (NAS) 120c is not to be the subscriber that harmful site stops service by certificate server 130 with authentification of user, allows the user to pass through another router one 40 internet usage services or all purpose communication service then.
As mentioned above, be used to provide the system of harmful site connection blocking service to adopt the ipsec tunnel agreement, as first terminal point, and allow router one 40-3 NAS 120c as second terminal point (as the corresponding end of first terminal point of NAS 120c) work.Correspondingly, harmful site stops system 150 and is connected to or is applied to first terminal point.After the ID as the object of harmful site connection blocking service obtains authentication, its data are transmitted by the ipsec tunnel that is positioned between first terminal point (or network access server) 120c and second terminal point, thereby send the data to obstruction system 150.
Yet such being used to provides the system of harmful site connection blocking service to adopt the ipsec tunnel agreement, wraps based on IPv4 when working with tunnel mode owing to system, thereby causes system overload.
When system breaks down owing to such overload, activate according to bag mirror image pattern of the present invention, so that the service of obstruction to be provided under the situation that does not influence network load.
In order to carry out the bag mirror image pattern, be used to provide the system of the service of obstruction to comprise that mirroring apparatus 220, spine switches 230 and harmful site stop system 240, as shown in Figure 6.Spine switches 230 is used to carry out harmful site connects the obstruction operation.Mirroring apparatus 220 reflections are by the flow of the Optical Fiber Transmission between spine switches 230 and the subscriber's router two 10.Obstruction system 240 receives the flow that is reflected and carries out harmful site and stop operation.Mirroring apparatus 220 comprises mirror image label (mirroring tab) or hub (hub).To describe the preferred embodiment of system that be used to provide stop service of employing in detail referring to Fig. 6 and Fig. 7 now according to bag mirror image pattern of the present invention.
Fig. 6 illustrates the structure according to the embodiment of the system that is used to provide the harmful site connection blocking service of the present invention, and described system works under the bag mirror image pattern.As shown in this figure, be used to provide the system of the service of obstruction to comprise: mirroring apparatus 220 (for example mirror image label or hub etc.); And obstruction system 240, comprise that harmful site stops switch 241 and stops server 242.Mirroring apparatus 220 reflections are by the flow of the Optical Fiber Transmission between spine switches 230 and the router two 10.Obstruction system 240 receives the flow that is reflected from hub or mirror image label, and obstruction is connected to harmful site.
Router (GSR) 210 has the function that sends the internet traffic that is used for the harmful site connection blocking service, and mirroring apparatus 220 reflections are by the flow of Optical Fiber Transmission, and obstruction system 240 has the function that obstruction is connected to harmful site.
All flows of Optical Fiber Transmission are passed through in the reflection of mirror image label, and it is transferred to the obstruction system.Harmful site in the obstruction system stops switch, and detection is the IP that harmful site stops the service object based on ACL (Access ControlList, access control list), and it is transferred to the obstruction system.When the visit harmful site, the obstruction server in the obstruction system stops bag with harmful site and is transferred to switch so that stop the connection of harmful site.
If system overload occurs when working with ipsec tunnel agreement according to the present invention, then use the mirroring apparatus (for example mirror image label or hub etc.) on the high speed internet to activate mirror image pattern.When system worked with mirror image pattern, it reflected all Internet users' flow, determined that based on source IP corresponding Internet user is the subscriber right and wrong subscriber also of harmful site.Abandon non-subscriber's flow, only allow subscriber's flow, so that provide the harmful site connection blocking service for subscriber's flow by the obstruction system.
Fig. 7 illustrates the structure according to another embodiment of the network system that is used to provide the harmful site connection blocking service of the present invention, and the bag mirror image pattern work that wherein said network system is described with Fig. 6 is also adopted the L3 switch.As shown in this figure, be used to provide the system of the service of obstruction to comprise: mirroring apparatus 220, for example mirror image label or hub etc.; Obstruction system 240 comprises that harmful site stops switch 241 and stops server 242; Compile router (aggregation router) 250; And IP Filtering Router 260.Mirroring apparatus 220 reflections are by the flow of the Optical Fiber Transmission between spine switches 230 and the router two 10.Obstruction system 240 receives the flow that is reflected from hub or mirror image label, and stops the connection of harmful site.Compile router two 50 and 260 receptions of IP Filtering Router flow, and detect subscriber's flow by hub or the reflection of mirror image label.Obstruction system 240 receives from the flow that compiles router two 50 and IP Filtering Router 260, and carries out harmful site and stop operation.
Router (GSR) 210 has the function that sends the internet traffic that is used for the harmful site connection blocking service, and mirroring apparatus 220 reflections are by the flow of Optical Fiber Transmission, and obstruction system 240 has the function that obstruction is connected to harmful site.
Mirror image label reflection is by all flows of Optical Fiber Transmission, and the MA of the flow that duplicates is set to the port that compiles router two 50.Then, the mirror image label is applied to PBR the flow that is received and correspondingly carries out and sends.Then, the mirror image label only with subscriber's network traffics along transmit path via compiling router two 50 and IP Filtering Router 260 is transferred to the obstruction system.Harmful site in the obstruction system stops switch and gives the obstruction system with the traffic transport that is received.When the visit harmful site, the obstruction server in the obstruction system stops bag with harmful site and is transferred to switch so that stop the connection of harmful site.
In brief, the mirroring apparatus in the high speed internet network (for example gigabit label or hub etc.) is used to reflect all Internet users' flow, and will be according to corresponding IP transmitted traffic.Then, will compile router and IP Filtering Router and be used for only allowing the subscriber network flow, so that provide the harmful site connection blocking service for the subscriber network flow by the obstruction system.
Fig. 8 illustrates the flow chart of the method that is used to provide the harmful site connection blocking service according to the present invention.Described method is as described below.
Certificate server is checked the subscriber and the non-subscriber ID (S300 and S310) of harmful site connection blocking service.
If the Internet user is authenticated the subscriber (S320 and S330) who serves into harmful site, then the user is by using tunnel scheme visit obstruction system (S340).Otherwise the user is identified as common or the special service subscriber, so that NAS distributes different flow paths to give user (S335).
System overload when adopting tunnel scheme and cisco unity malfunction then activates bag mirror image pattern (S350) if harmful site stops system.
When service subscriber is attempted to visit through the website after the obstruction system,, then will notify the transmission of messages of visit harmful site to give subscriber (S360 and S370) if website is a harmful site.
On the other hand, if the Internet user is authenticated to be the subscriber who is not the harmful site connection blocking service, then allow user's zero access the Internet (S380).
In addition, stop the website that the user of service object's ID attempts to visit as harmful site and comprise harmful content, then stop visit, and the message that will " connect and stop " sends the user to if having; Otherwise, allow this website of user capture (S380).
As mentioned above, the flow that the present invention adopts tunnel protocol harmful site to be stopped the subscriber's who serves flow subscriber non-with it separates, thereby non-subscriber's flow is connected to the Internet immediately, and subscriber's flow is accumulated in a position, allow subscriber's flow then by the obstruction system.
Fig. 9 is illustrated in the method for Fig. 8, and harmful site stops system because when system overload causes cisco unity malfunction when adopting tunnel scheme, according to the flow chart that is used to provide the method for harmful site connection blocking service of the present invention.
At first, all users' flow is transferred to optical fiber by spine switches, and between this transmission period, mirroring apparatus reflects all flows (S351).
Then, according to the bag that is reflected is corresponding to subscriber IP or corresponding to non-subscriber IP, with the bag classification that is reflected, abandon and will not subscribe the bag of the non-subscriber IP of the service of obstruction, the bag that only will subscribe the subscriber IP of the service of obstruction is transferred to and stops server (S351 is to S355).
If subscriber IP attempts to visit harmful site, then the transmission of messages that will " visit and stop " is given the user with subscriber IP; Otherwise, abandon IP bag (S355 is to S357)
On the other hand, if the website that the user attempts to visit is a harmful site, check then whether User IP is the subscriber IP that harmful site stops service.If User IP is subscriber IP, then the transmission of messages that will " visit and be stopped " is given subscriber IP, and stops this program; Otherwise, allow User IP access internet (S358 is to S360-1)
As mentioned above, carry out the method that is used to provide the harmful site connection blocking service in the following manner, wherein said method adopts according to bag mirror image pattern of the present invention.In this way, the ACL (access control list) of exchange apparatus is used to check reflection bag IP and determine that it is the subscriber IP right and wrong subscriber IP also that stops service, only is transferred to the obstruction server with subscriber IP bag then.
In addition, in this way, be about to stop bag when the user who stops system transmissions and have a subscriber IP of the service of obstruction with box lunch for exchange apparatus attempts access site, stop visit or do not stop visit according to the content type that website comprised, can carry out the flow processing according to the purpose IP address and the authentication result of bag.
According to above description, it is evident that, be used to provide the system and method for harmful site connection blocking service to have the following advantages according to of the present invention.Use tunnel protocol only to collect subscriber's flow of harmful site connection blocking service.Therefore, connection blocking service is offered service subscriber, and the common interconnection network service is offered non-subscriber, thereby make the flow treatment effeciency that under the situation that does not influence non-subscriber's business, improves the subscriber become possibility.In addition,, also can activate the bag mirror image pattern, thereby make that the harmful site connection blocking service is more safely offered the user becomes possibility even overload when IPSec (IP safety) tunnel protocol is worked, occurs.
Although disclosed the preferred embodiments of the present invention for explanatory purposes, it will be apparent to one skilled in the art that and to carry out various modifications, interpolation and replacement to it, and do not depart from the scope and spirit of the present invention that disclose in the appending claims.

Claims (10)

1. system that is used for providing the harmful site connection blocking service according to tunnel protocol and bag mirror image pattern, described system comprises:
NAS (Network Access Server, network access server), described NAS is used for checking user ID with respect to described connection blocking service, and described user ID is divided into the subscriber ID and the non-subscriber ID of described connection blocking service, correspondingly carries out Route Selection then;
Certificate server, described certificate server are used to authenticate the subscriber's of high speed internet user's ID and described connection blocking service ID;
Router, described router is used for sending the internet traffic that receives from described NAS based on tunnel protocol, wherein said tunnel protocol comprises following at least a: L2TP (Layer 2 Tunneling Protocol, Level 2 Tunnel Protocol), GRE (Generic Routing Encapsulation, generic route encapsulation) tunnel protocol, MPLS (Multi Protocol Label Switching, the multi protocol label exchange) tunnel protocol and IPSec (IP Security, IP safety) tunnel protocol; And the obstruction system, described obstruction system has harmful site and connects and stop function.
2. system according to claim 1, wherein when adopting described L2TP, be used to provide the system of described harmful site connection blocking service that described NAS is used as LAC (L2TP Access Concentrator, L2TP Access Concentrator), and allow described router to play LNS (L2TP Network Server, L2TP Network Server) effect, thus the system applies that will be used to described connection blocking service is provided in described LNS, and
Wherein after the ID as the object of described harmful site connection blocking service obtains authentication, transmit its data, thereby described data are sent to described obstruction system by the L2TP Tunnel between described NAS and described LNS.
3. system according to claim 1, wherein when adopting described gre tunneling agreement, be used to provide the system of described harmful site connection blocking service that described NAS is used as the GRE starting point, and allow described router to play the effect of GRE terminal point, thereby described harmful site is stopped system applies in described GRE terminal point
Wherein after the ID as the object of described harmful site connection blocking service obtains authentication, transmit its data by the gre tunneling that is positioned between described GRE starting point (or network access server) and the described GRE terminal point, thereby described data are sent to described obstruction system, and
Wherein only its upstream flowrate is handled by described gre tunneling, and its downstream flow is handled by the path identical with the non-subscriber of described connection blocking service, thereby greatly reduced the flow by described obstruction system and described gre tunneling, so that treatment effeciency reaches maximum.
4. system according to claim 1, wherein when adopting described MPLS tunnel protocol, be used to provide the system of described harmful site connection blocking service that described NAS is used as the MPLS starting point, and allow described router to play the effect of MPLS terminal point, thereby described harmful site is stopped system applies in described MPLS terminal point
Wherein after the ID as the object of described harmful site connection blocking service obtains authentication, by being positioned at its data of MPLS tunnel transmission between described MPLS starting point (or network access server) and the described MPLS terminal point, thereby described data are sent to described obstruction system, and
Wherein only its upstream flowrate is handled by described MPLS tunnel, and its downstream flow is handled by the path identical with the non-subscriber of described connection blocking service, thereby greatly reduced the flow by described obstruction system and described MPLS tunnel, so that treatment effeciency reaches maximum.
5. system according to claim 1; when wherein adopting described ipsec tunnel agreement in the system that is used to provide described harmful site connection blocking service; described network access server (NAS) is at first with tunnel mode work; sealing the IPv4 frame of putting into safety by IPv4 as the flow of the subscriber ID that stops the service object; then; with transmission mode work; transmit it to a terminal point; promptly by a point on the internal network that stops system protection; and the described IPv4 of another end point analysis bag also transmits it to described obstruction system, and
Wherein only its upstream flowrate is handled by described tunnel mode, and its downstream flow is handled by the path identical with the non-subscriber of described connection blocking service, thereby greatly reduced the flow by described obstruction system and described tunnel mode, so that treatment effeciency reaches maximum.
6. system according to claim 5 when wherein described system breaks down during adopting described ipsec tunnel agreement, activates the bag mirror image pattern of network load not being had influence, so that described harmful site connection blocking service to be provided.
7. system according to claim 6 wherein in order to carry out described bag mirror image pattern, is used to provide the described system of described obstruction service to comprise:
Spine switches, described spine switches is used to stop the connection of harmful site;
Mirroring apparatus, described mirroring apparatus comprises mirror image label and hub, is used to reflect the flow by the Optical Fiber Transmission between described spine switches and router; And
The obstruction system, described obstruction system is used to receive the flow of described reflection, and carries out harmful site and stop operation.
8. system according to claim 7, the reflection of wherein said mirror image label is by all flows of described Optical Fiber Transmission, and it is transferred to described obstruction system,
Harmful site in the wherein said obstruction system stops switch and allows destination MAC according to the flow that is received to be given by the traffic transport that described obstruction switch receives to stop the port that server connected,
Give described obstruction server wherein based on the IP of ACL (Access Control List, access control list) detection, and with its transfer of data as the object of described connection blocking service, and
Wherein said obstruction server uses the L2 switch function, when harmful website is accessed, harmful site is stopped flow signal be transferred to described switch, and stop the connection of described harmful site.
9. method that is used to provide the harmful site connection blocking service may further comprise the steps:
A) add described harmful site connection blocking service, and distribute the subscriber ID of described service, attempt to visit the system that is used to provide described service then;
B) if the high speed internet user ID obtains authentication, in certificate server, check the subscriber ID and the non-subscriber ID of described service, and if described high speed internet user ID do not obtain authentication, then do not allow its access internet;
C) have under the situation of subscriber ID of described service the user, if described user capture harmful site, then adopt tunnel scheme to send " visit stops " message to described user, if do not visit harmful site, then allow user to view Internet, stop described method then or return described step a);
D) if owing to system overload during adopting tunnel scheme causes the system failure, described system is difficult to operate as normal, then activates the bag mirror image pattern; And
E), then allow described user to view Internet and stop described method if described user has non-subscriber ID.
10. method according to claim 9, the step of wherein said activation bag mirror image pattern may further comprise the steps:
F) transmit all flows by spine switches and give optical fiber, and during being transferred to described optical fiber, reflect all flows by described mirroring apparatus;
G) be corresponding to subscriber IP or corresponding to non-subscriber IP according to the bag that is reflected, the bag that is reflected is classified, and abandoning bag without undergoing the non-subscriber IP that stops service, the bag that only will wait to stand the subscriber IP of described obstruction service simultaneously is transferred to described obstruction server;
H) if described subscriber IP attempts to visit harmful site, then send " visit stops " message to user with described subscriber IP, otherwise, abandon described IP bag; And
I),, check whether described User IP is the subscriber IP that described harmful site stops service then in described step f) if the website that described user attempts to visit is a harmful site; If described User IP is subscriber IP, then the transmission of messages that will " visit and stop " is given described User IP, and stops described method; Otherwise, allow described User IP access internet.
CNA2004100031928A 2003-12-29 2004-02-26 System and method for providing arresting service to harmful website connection Pending CN1638330A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020030099029 2003-12-29
KR1020030099029A KR100478899B1 (en) 2003-12-29 2003-12-29 The system and service providing method for harmful site connection interception service by using tunneling protocol and packet mirroring mode

Publications (1)

Publication Number Publication Date
CN1638330A true CN1638330A (en) 2005-07-13

Family

ID=34858636

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2004100031928A Pending CN1638330A (en) 2003-12-29 2004-02-26 System and method for providing arresting service to harmful website connection

Country Status (3)

Country Link
KR (1) KR100478899B1 (en)
CN (1) CN1638330A (en)
TW (1) TWI262002B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20240048506A1 (en) * 2022-08-08 2024-02-08 Bank Of America Corporation System and method for autonomous conversion of a resource format using machine learning

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI326417B (en) 2006-06-01 2010-06-21 Ind Tech Res Inst System and method for recognizing offloaded packet
KR100882339B1 (en) * 2007-01-19 2009-02-17 주식회사 플랜티넷 System and method for blocking the connection to the harmful information in a internet service provider network
TW201006175A (en) 2008-07-31 2010-02-01 Ibm Method, apparatus, and computer program product for testing a network system
CN103123731B (en) * 2011-11-21 2016-08-17 国家电网公司 The electricity-selling system that flows is carried out based on 3G communications wireless network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20240048506A1 (en) * 2022-08-08 2024-02-08 Bank Of America Corporation System and method for autonomous conversion of a resource format using machine learning
US12107774B2 (en) * 2022-08-08 2024-10-01 Bank Of America Corporation System and method for autonomous conversion of a resource format using machine learning

Also Published As

Publication number Publication date
TW200522612A (en) 2005-07-01
TWI262002B (en) 2006-09-11
KR100478899B1 (en) 2005-03-24

Similar Documents

Publication Publication Date Title
CN101013962B (en) Integrated security switch
CN1232081C (en) Repeating method for multi-broadcast message in network communication
CN1879388A (en) Dual mode firewall
CN109347817A (en) A kind of method and device that network security redirects
CN1640090A (en) An apparatus and method for secure, automated response to distributed denial of service attacks
CN101043386A (en) Method for notifying pseudo-lines fault based on bidirectional transmission detecting protocol
CN1925496A (en) System and method for load sharing of network layer with multiple network interface cards terminal equipment
CN1878135A (en) Method for judging pseudo wire connection state in packet-switching network and service apparatus
CN1756240A (en) Subscriber line accommodation device and grouping filter method
CN1921441A (en) Method and device for message transfer of virtual private local area network
CN1905528A (en) Data transmitting method and apparatus based on virtual LAN
CN1848757A (en) Three-layer VPN operation maintenance system and method in communication network
CN101043387A (en) Remote mirror-image realization process, remote monitoring aids and system for realizing remote mirror-image
CN113923076A (en) SD-WAN-based Ethernet two-layer data exchange method
CN1426201A (en) Method for realizing access controller function on radio access point
CN1297105C (en) Method for implementing multirole main machine based on virtual local network
CN101051948A (en) System and method for realizing multiple link point-to-point silent interception by port image
CN1859411A (en) Method for detecting communication device link ringback and communication device
CN1638330A (en) System and method for providing arresting service to harmful website connection
CN101030915A (en) Method for sharing V-Switch transparent-transferring data load
CN1863148A (en) Method for implementing interaction BPDU message between VLAN apparatus through two layer tunnel network
CN1228943C (en) User authentication management method in Ethernet broadband access system
CN1455560A (en) Method of intercommunication of multi-protocol label exchange virtual special network
CN1852222A (en) Method and apparatus for managing wireless access-in wide-band users
CN1881906A (en) Realization method for monitoring network service

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication