Summary of the invention
In view of this, the purpose of this invention is to provide a kind of access authentication system and method that inserts Host Security of verifying, the present invention has changed and utilizes usemame/password to dock the conventional art that carries out authenticating user identification into main frame, a kind of brand-new access authentication system and method based on the safety and Health fingerprint are proposed, the various main frames of checking access network or the fail safe of terminal equipment have effectively guaranteed network security.
In order to achieve the above object, the invention provides a kind of access authentication system that inserts Host Security of verifying, it is characterized in that: this system adopts safety and Health finger print information to the authentication that conducts interviews of the Host Security of access network, and system's composition member comprises:
Authentication Client, the main frame that needs to verify its fail safe for access network, the client software that is used for the safety and Health finger print identifying is installed in the machine, this client software can be gathered the safety and Health finger print information of this main frame, sends to the safety and Health fingerprint certification device via access control apparatus, certificate server and verifies;
Access control apparatus, for the user provides the network equipment of access, port and the access control module that provides the user to insert is provided in its inside; After receiving the authentication result that the safety and Health fingerprint certification device returns, the access request of main control system: allow to insert, refuse to insert or only allow access portion that the network element of service is provided;
Certificate server is the traditional server that carries out authentication by usemame/password, is used for cooperating with the safety and Health fingerprint certification device, the user is carried out the double authentication of user identity and Host Security;
The safety and Health fingerprint certification device, Authentication devices for the subscriber's main station access, its inside is provided with a safety and Health policy library and an information interface, be responsible for receiving the safety and Health fingerprint of client, and search comparison at the safety and Health policy library at the information in the fingerprint, go out the safe condition rank of this main frame according to comprehensive fingerprint comparison outcome evaluation; If the safe condition rank of this main frame is lower than the setting in the strategy, then sends and do not allow to insert message or access control policy to access control apparatus; If the safe condition rank of this main frame more than or equal to the setting in the strategy, then sends access grant message to connecting system.
The safety and Health finger print information of described main frame includes but not limited to: OS Type, operating system version number, the patch situation, the file-sharing situation, open transmission control protocol tcp port, open User Datagram Protoco (UDP) udp port, the system service of operation, user password intensity, guest Guest user account operating position, the account locking strategy, the account password policy, log-on message, browser version, browser patch situation, the Email client release, Email client patch situation.
Described safety and Health finger print information is packaged into the packet of form for " type, length, content ", wherein type field is a special identifier, show that this packets need delivers the safety and Health fingerprint certification device and carry out safety certification, and define jointly by client, certificate server and safety and Health fingerprint certification device three.
The port that provides the user to insert in the described access control apparatus has two logic ports:
Controlled ports is only opened by under the state in authentication, is used for delivery network resource and service; The unconfined end mouth is in the diconnected state all the time, sends or receive authentication at any time for client.
When described access network was internal lan, for supporting the access control of this network port, the communication protocol that described client need be supported was local area network (LAN) Extensible Authentication Protocol EAPOL (Extensible AuthenticationProtocol Over LAN).
When described access network is virtual private network, for supporting the access control of this network port, the communication protocol that described client need be supported comprises following vpn tunneling agreement: Point to Point Tunnel Protocol PPTP (Point To Point Tunneling Protocol), Level 2 Tunnel Protocol L2TP (Layer 2Tunneling Protocol), Internet security protocol IPSEC (Internet Protocol security) at least.
When described access network is telecommunications access network, for supporting the access control of this network port, the communication protocol that described client need be supported is for transmitting Point-to-Point Data packet protocol PPPOE (Point ToPoint Protocol Over Ethernet) on Ethernet.
In order to achieve the above object, the present invention also provides a kind of authentication method that adopts checking to insert the access authentication system of Host Security, it is characterized in that: adopt the safety and Health finger print information to dock and verify, to take precautions against network worm and assault into the fail safe of main frame; Comprise the following steps:
(1) when client was initiated to insert request, client software extracted the safety and Health finger print information of this machine, and this information is packaged into the packet of form for " type, length, content ", sent to access control apparatus;
(2) after access control apparatus is found the authentication data packet of finger print information, directly be transmitted to certificate server; After perhaps extracting the safety and Health finger print information wherein be used to authenticate and encapsulating again, be transmitted to certificate server;
(3) certificate server is communicated by letter with the safety and Health fingerprint certification device, and the safety and Health finger print information is sent to the safety and Health fingerprint certification device;
(4) the safety and Health fingerprint certification device is compared the information in the relevant field in this finger print information and its policy library, and the comparative result and the correlated condition of every information carried out multifactorial evaluation, provide its safe condition grade, requirement with this grade point and safe access compares again, if, then sending authentication more than or equal to the access value, this grade point passes through information; Otherwise, send authentification failure or restricted access message;
(5) access control apparatus read access control command, and go into main frame according to this instruction butt joint corresponding licensing status is set: if the message that authentication is passed through is then finished the access of main frame; If authenticate unsanctioned message, then refuse the access of main frame, and on client software, provide the access failure prompting; If the message of restricted access, then by the access strategy of access control block configuration correspondence.For example allow the main frame of this infection worm-type virus patch server in can only accesses network, repair leak, reduce the possibility that infects worm once more in time stamp patch for this equipment.
The network communication protocol that uses when client software sends authentication data packet in the described step (1) includes but not limited to TCP, UDP, ICMP or EAPOL.
The agreement of the employing of communicating by letter in the described step (3) between certificate server and the safety and Health fingerprint certification device is the RADIUS of remote customer dialing authentication system.
The present invention has the following advantages:
(1) effectively prevent infections virus the host access network, guarantee network security: access authentication system of the present invention carries out access control according to the safety and Health finger print information of main frame to this main frame, stop or limit the main frame access network of infective virus, cut off it and infected the approach of other equipment, thereby effectively prevented spreading unchecked of virus such as worm in the network.The access control policy that disposes in the authentication method only allows the patch server in the host access network of infective virus, makes this equipment in time stamp patch and repairs leak, thereby reduce once more the possibility of infective virus.
(2) access registrar is with strong points, do not influence other access device: system of the present invention is based on the control that conducts interviews of port or user identity, directly a certain user's that will insert main frame or terminal equipment are isolated, and other users' access device is unaffected to the visit of network.In the safety and Health policy library, dispose the access control policy of different safety class, send different access control instructions at different access devices.
(3) system configuration is simple, soft, the hardware investment expense is few: client only need dispose can collect the healthy finger print information of this device security and automatically to set the client software that the form packing sends to the safety and Health fingerprint certification device, its function is fairly simple, realizes easily.The hardware device that whole system need be acquired has only safe fingerprint certification device, and can utilize existing certificate server hardware and software development, both can accelerate Development Schedule, also can realize the interface with the conventional authentication server easily.
In sum, the present invention is based on the safety and Health fingerprint authentication and insert the access authentication system of Host Security and the foundation that method will be conducted interviews and control this main frame by the Host Security grade conduct that the safety finger print information is drawn, through safety certification device issues the access control policy at the concrete port of the network equipment, can under the situation of other main frames or the normal accesses network of equipment, effectively stop the lower main frame access network of safe class; Simultaneously, by reasonable setting, can also make the user in time stamp patch for the main frame of infective virus.The present invention can be widely used in the Prevention-Security of corporate intranet, and effectively isolation network worm and assault greatly reduces the influence to main frame and network of network worm, assault.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with drawings and Examples.
Referring to Fig. 1, the present invention is a kind of access authentication system that adopts the checking of safety and Health finger print information to insert Host Security, and this system forms member and comprises:
Client 1, the main frame that needs to verify its security performance for access network, the client software that is used for the safety and Health finger print identifying is installed in the machine, this software can be gathered the safety and Health finger print information of this main frame, and sends to the safety and Health fingerprint certification device via access control apparatus, certificate server and verify; Wherein the safety and Health fingerprint mainly includes but are not limited to following information: OS Type, operating system version number, patch situation, file-sharing situation, open tcp port, open udp port, the system service of operation, user password intensity, guest Guest user account operating position, account locking strategy, account password policy, log-on message, browser version, browser patch situation, Email client release, Email client patch situation.
Access control apparatus 2, for the user provides the network equipment of access, port and the access control module that provides the user to insert is provided in its inside; After receiving the authentication result that the safety and Health fingerprint certification device returns, the access request of main control system: allow to insert, refuse to insert or only allow access portion that the network element of service is provided;
Certificate server 3 is the traditional server that carries out authentication by usemame/password, is used for cooperating with the safety and Health fingerprint certification device, the user is carried out the double authentication of user identity and Host Security;
Safety and Health fingerprint certification device 4, Authentication devices for the subscriber's main station access, its inside is provided with a safety and Health policy library and an information interface, receive the safety and Health fingerprint from client, and search comparison at the safety and Health policy library at the information in the fingerprint, go out the safe condition rank of this main frame according to comprehensive fingerprint comparison outcome evaluation; According to the safe condition rank of main frame and the comparative result of the setting in the access control policy, send access grant message respectively, do not allow to insert message or access control policy again to access control apparatus.
The access registrar technology that the present invention is based on the safety and Health fingerprint can effectively be controlled the fail safe that inserts main frame, takes precautions against worm outburst and assault to greatest extent, ensures the safety and stability of main frame and network.
Referring to Fig. 2, introduce the present invention and adopt the safety and Health finger print information to dock the conduct interviews concrete operations step of authentication method of fail safe into main frame:
(1) when client is initiated to insert request, client software extracts the safety and Health finger print information of this machine, and this information is packaged into form is the authentication data packet of " type, length, content ", use to comprise that network communication protocols such as TCP, UDP, ICMP or EAPOL send to access control apparatus with packet;
(2) after access control apparatus is found the authentication data packet of finger print information, directly be transmitted to certificate server; After perhaps extracting the safety and Health finger print information wherein be used to authenticate and encapsulating again, be transmitted to certificate server;
(3) adopt radius protocol to carry out interactive communication between certificate server and the safety and Health fingerprint certification device, the safety and Health finger print information is sent to the safety and Health fingerprint certification device;
(4) the safety and Health fingerprint certification device is compared the information in the relevant field in this finger print information and its policy library, and the comparative result and the correlated condition of every information carried out multifactorial evaluation, provide its safe condition grade, requirement with this grade point and safe access compares again, if, then sending authentication more than or equal to the access value, this grade point passes through information; Otherwise, send authentification failure or restricted access message;
(5) access control apparatus read access control command, and go into main frame according to this instruction butt joint corresponding licensing status is set: if the message that authentication is passed through is then finished the access of main frame; If authenticate unsanctioned message, then refuse the access of main frame, and on client software, provide the access failure prompting; If the message of restricted access then by the access strategy of access control block configuration correspondence, sends corresponding access control instruction to access control system; For example allow the main frame of this infection worm-type virus patch server in can only accesses network, repair leak, reduce the possibility that infects worm once more in time stamp patch for this equipment.
Below in conjunction with three different access networks, three embodiment of the present invention are described respectively.
It at first is the example that inserts enterprises and institutions' internal lan at IEEE802.1x on based on the basis of the access control technology of port.Referring to Fig. 3, at this moment, system of the present invention comprises four parts: Authentication Client 1, access control apparatus 2, certificate server 3 and safety and Health fingerprint certification device 4.
In IEEE802.1x access authentication system generally with user terminal as client 1, this terminal will be installed a client software usually, the user initiates authenticating user identification by starting this client software, and access control apparatus determines according to safety and Health fingerprint certification device authentication result whether this user terminal can accesses network.
For supporting the access control based on port, client 1 needs to support the EAPOL agreement.In order to support that client 1 should be able to be collected the safety and Health finger print information of this main frame to the safety certification of the healthy fingerprint of main frame, and send to authenticate device and verify.Authentication data packet is encapsulated as " type, length, content " form, and wherein type field is a special identifier, shows that this packets need carries out the safety and Health finger print identifying.
Usually the network equipment (being access control apparatus 2) of support IEEE802.1x authentication mode has two to be used for the logic ports that the user inserts corresponding to the port (MAC Address of physical port or subscriber equipment, VLAN, IP etc.) of different user devices: controlled ports and unconfined end mouth.The unconfined end mouth is in the diconnected state all the time, is mainly used to transmit the EAPOL protocol frame, can guarantee that client can send or accept authentication at any time.Controlled ports is only just opened under the state that authentication is passed through, and is used for delivery network resource and service.If by authentication, then controlled ports is not in undelegated closed condition to the user, the service that the user can't access authentication system provides.User's controlled ports is in unauthorized state during beginning, can't visit any Internet resources; Have only through behind the authenticating user identification, controlled ports just is set as the opening of mandate.In the present embodiment, access control apparatus 2 can realize that access interface wherein is the physical port of access network device with the network equipment (being illustrated as switch) of supporting the IEEE802.1x agreement, and the access control module is the control module of access device.The access control module of this port is encapsulated as the EAPOL protocol frame again with authentication information, sends to certificate server 3 with radius protocol then.
Because the EAPOL agreement is defined by the IEEE802.1x agreement, usually support the equipment of IEEE802.1x agreement can both support the EAPOL agreement, 4 of safety and Health fingerprint certification devices of the present invention need the radius protocol and the certificate server 3 of use standard to communicate alternately, can finish authentication.In this process, certificate server 3 is as the client of RADIUS, be responsible for and extract with the finger print information in the EAPOL protocol frame of radius protocol encapsulation, again with after the encapsulation of RADIUS packet format, send to server end-safety and Health fingerprint certification device 4 of RADIUS more then.Safety and Health finger print information content then is encapsulated in the RADIUS bag with " type, length, content " form, wherein the value of type field must make the three can both understand the implication of specific fields by client 1, certificate server 3 and safety and Health fingerprint certification device 4 three's unified Definition.
Fig. 4 has showed the deployment architecture of the component devices of this embodiment system, and wherein each main frame of internal lan (being client) is by access control apparatus-switch-be connected into internal lan (going out with the rectangular broken line frame among the figure).
Referring to Fig. 5, introduce the example that the present invention inserts enterprises and institutions' internal lan on based on the basis of VPN access control technology.The structure of this system embodiment is formed identical substantially with Fig. 4, and difference is just at access control apparatus 3; Also form: Authentication Client 1, VPN access control apparatus 2, certificate server 3 and safety and Health fingerprint certification device 4 by four parts.。
In VPN access authentication system generally with user terminal as client 1, this terminal will be installed a client software usually, the user initiates authenticating user identification by starting this client software, and the VPN access control apparatus determines this user terminal to allow according to safety and Health fingerprint certification device authentication result or stops accesses network.
For supporting the access control based on VPN, client 1 needs to support various vpn tunneling agreements such as PPTP, L2TP, IPSEC.In order to support the safety certification of the healthy fingerprint of main frame, client 1 should be able to be collected the healthy finger print information of this terminal security, and sends to authenticate device and verify.Authentication data packet is with " type, length, content " form encapsulation, and wherein type field is a special identifier, shows that this packets need carries out the security access authentication of safety and Health fingerprint.
In a second embodiment, access control apparatus 2 can realize that access interface wherein is the physics or the logic port of VPN access device with the network equipment of supporting one or more vpn tunneling agreements, and the access control module is the control module of VPN access device.This access control module at first with the authentication information deciphering, extracts authentication information, sends to certificate server 3 with radius protocol then.
Certificate server 3 is responsible for the information that takes the fingerprint from the authentication bag of radius protocol encapsulation, again with after the encapsulation of RADIUS packet format, send to safety and Health fingerprint certification device 4 then.Certificate server 3 uses the radius protocol and the safety and Health fingerprint certification device 4 of standard to communicate, and in this process, certificate server 3 is the client of RADIUS, and safety and Health fingerprint certification device 4 is the server end of RADIUS.The content of safety and Health finger print information is encapsulated in the RADIUS bag with " type, length, content " form, wherein the value of type field must make the three all understand the implication of specific fields by client 1, certificate server 3 and safety and Health fingerprint certification device 4 three's unified Definition.
Fig. 5 has showed the deployment architecture of this embodiment set of systems forming apparatus, and each main frame of external network is connected into internal lan (going out with the rectangular broken line frame among the figure) by the VPN access device.
Referring to Fig. 6, introduce the example that the present invention inserts telecommunications network on based on the basis of PPPOE dial-up access access control technology.The structure composition of this system embodiment is identical substantially with Fig. 4, Fig. 5, and difference is just at access control apparatus 3; Also form: Authentication Client 1, PPPOE access control apparatus 2, certificate server 3 and safety and Health fingerprint certification device 4 by four parts.
In PPPOE access authentication system generally with user terminal as client 1, this terminal will be installed a client software usually, the user initiates authenticating user identification by starting this client software, and the PPPOE access control apparatus allows according to safety and Health fingerprint certification device authentication result or prevention user terminal access network.
For supporting the access control based on PPPOE, client 1 needs to support the PPPOE agreement.Be to support the safety certification of the healthy fingerprint of main frame, client 1 should be able to be collected the healthy finger print information of this terminal security, and sends to authenticate device and verify.Authentication data packet is encapsulated as " type, length, content " form, and wherein type field is a special identifier, shows that this packets need carries out the security access authentication of safety and Health fingerprint.
In the 3rd embodiment, access device 2 can realize that access interface wherein is the physics or the logic port of PPPOE access device with the network equipment of PPPOE agreement, and the access control module is the control module of PPPOE access device.
The PPPOE agreement provides a kind of standard on the LAC that in the network of broadcast type multiple host is connected to far-end.In this network model, the ppp protocol stack that all users' main frame all needs initialization independently to control oneself, and by some characteristics that ppp protocol itself is had is implemented in and on the broadcast type network user is chargeed and manage.
The PPPOE agreement comprises two stages altogether, i.e. the session stage of the discovery stage of PPPOE (PPPOE DiscoveryStage) and PPPOE (PPPOE Session Stage).
When a client host wishes to begin a PPPOE session, it at first can seek a LAC on the network of broadcast type, after this main frame has been selected its needed access server, just begin and this access server is set up a PPPOE session process.In this process, LAC can distribute a unique process identification (PID) ID for each PPPOE session, after session is set up, has just begun the session stage of PPPOE.The both sides that set up point-to-point connection in this stage just adopt ppp protocol to come the swap data message, thereby finish the process of a series of PPP, carry out the transmission of network layer data newspaper the most at last on this point-to-point logical channel.
The access control module of PPPOE access control apparatus 2 is at first verified the username and password that client 1 sends over by the PPPOE authentication.After authentication was passed through, the access control module sent to certificate server 3 and safety and Health fingerprint certification device 4 with the safety and Health finger print information of receiving with radius protocol.
Certificate server 3 is responsible for the information that takes the fingerprint from the authentication bag of radius protocol encapsulation, again with after the encapsulation of RADIUS packet format, send to safety and Health fingerprint certification device 4 then.Certificate server 3 uses the radius protocol and the safety and Health fingerprint certification device 4 of standard to communicate, and in this process, certificate server 3 is the client of RADIUS, and safety and Health fingerprint certification device 4 is the server end of RADIUS.The content of safety and Health finger print information is encapsulated in the RADIUS bag with " type, length, content " form, wherein the value of type field must make the three all understand the implication of specific fields by client 1, certificate server 3 and safety and Health fingerprint certification device 4 three's unified Definition.
After safety and Health fingerprint certification device 4 was assessed at the security situation of main frame, whether decision allowed this main frame access network.
Fig. 6 has showed the deployment architecture of the access authentication system component devices of the 3rd embodiment, and each dial user's main frame (being client) is connected into accessed public telecommunication network (going out with the rectangular broken line frame among the figure) by the PPPOE access device.