CN1744515A - Method for realizing safety accessing of external network for user in gateway, gate bridge - Google Patents
Method for realizing safety accessing of external network for user in gateway, gate bridge Download PDFInfo
- Publication number
- CN1744515A CN1744515A CN 200510037455 CN200510037455A CN1744515A CN 1744515 A CN1744515 A CN 1744515A CN 200510037455 CN200510037455 CN 200510037455 CN 200510037455 A CN200510037455 A CN 200510037455A CN 1744515 A CN1744515 A CN 1744515A
- Authority
- CN
- China
- Prior art keywords
- user
- security
- gateway
- bridge
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Using structure of secure gateway or bridge to connect inner network with outer network, the method includes steps: (1) user sends request for connecting to outer network to secure gateway or bridge; (2) checking-up whether the user's record is existed in the secure gateway or bridge; if no, and the resources are web resources, then starting up secure scanning; if the scanning is passed, then recording the result and the user, and appointing a invalid time automatically; (3) based on recorded and scanned result and satisfaction of secure settings setup by the secure gateway or bridge for types of resources from outer network to allow the said request; otherwise, rejecting the request. If a user requests to access not trusted outer network, the invention checks-up operating software, configuration on the user's device through starting up gateway or bridge. Under protection of software and necessary monitoring and controlling, user can access outer network and Internet.
Description
Technical field
The present invention relates to computer and network security technology, relate in particular to and utilize gateway, bridge to realize that user security inserts the method for outside insincere or internet.
Background technology
Along with the development and the application of the Internet and information technology, the Internet has been an indispensable part in people's routine work life, but brings following problem thereupon:
1, internet information is very different and be full of threats such as hacker, virus and trap, and the user of internet usage is called for short " user ", all can be subjected to infringement and harassing and wrecking from the Internet at any time.
2, user's internet usage irrelevant thing of being engaged in and working, or utilize the Internet to make the thing of violating the state's laws rules.
For guaranteeing that the user is without undergoing the infringement from the Internet, the Security Officer of leading subscriber or user network usually can be for user security provides a series of fail-safe software taking precautions against the threat from the Internet, as: anti-virus software, anti-hacker software and anti-harassing and wrecking information software etc.; For guaranteeing the not internet usage irrelevant thing of being engaged in and working of user, internet usage is not made the thing of violating the state's laws rules, and the Security Officer can notify the user or directly to prevent the user this class behavior take place for user installation series of monitoring, filtration, logging software.
But not being the user, above-mentioned software do not connect the necessary software of the Internet, under the situation that does not have above-mentioned software, configuration (or software information is not upgraded), the user can connect and internet usage equally, the user will still can be subjected to prestige association and the harassing and wrecking from the Internet this moment, and the illegal act that also can utilize the Internet to be engaged in and to work irrelevant thing or violate the state's laws rules.
Summary of the invention
The technical issues that need to address of the present invention are how to guarantee that the user has moved appropriate software and performed correct setting on its equipment when online, meets network management personnel's requirement fully.
The above-mentioned technical problem of the present invention solves like this, provides a kind of and realizes that on gateway, bridge user security inserts the method for outer net, adopts security gateway or safety net bridging to connect the structure of inner trustable network and outside unreliable network, may further comprise the steps:
1.1) request: the user connects the resource of outside unreliable network to security gateway or safe bridge request;
1.2) safety inspection: check in security gateway or the safe bridge whether have this user record,, if described resource is the WEB resource, then do not start security sweep to this user software environment and configuration, if scanning is by then writing down this result and this user, and specifies and cease to be in force automatically the time;
1.3) allow or the refusal request: allow described request according to described record or described scanning result who passes through and the security settings that satisfies security gateway or the external portion of safe bridge unreliable network resource type; Otherwise, rejecting said request.
According to method provided by the invention, described security settings can be and allows visit WEB resource, and interception is to the request of other a part of Internet resources.
According to method provided by the invention, the WEB security sweep program of described inner trustable network stored user-accessible, described step 1.1) in resource be the WEB resource, described step 1.2) in security sweep use described WEB security sweep program, may further comprise the steps:
1.2.1) being redirected user's request, force users is visited described WEB security sweep program;
1.2.2) user call automatically described WEB security sweep program scanning equipment of itself software environment and the configuration and the output scanning result;
1.2.3) described scanning result is transferred to described security gateway or safe bridge.
According to method provided by the invention, this method also comprises the active request safety inspection, and concrete steps are as follows:
3.1) user is from the WEB page of the described WEB security sweep of row access program correspondence;
3.2) call the software environment of described WEB security sweep program scanning equipment of itself and dispose also output scanning result;
3.3) described scanning result is transferred to described security gateway or safe bridge;
3.4) if scanning is passed through, then described security gateway or safe bridge write down this result and this user, and appointment ceases to be in force automatically the time.
According to method provided by the invention, the described time of ceasing to be in force automatically can be but not limit be 5 minutes to a week.
The method that on gateway, bridge, realizes user security access outer net provided by the invention; when asking to insert outside non-trust network by the user; start inspection by gateway, bridge to operating software on the subscriber equipment and configuration thereof; pass and just allow to insert; make the user under designated software protection and monitoring, insert external network and the Internet; thereby obtain the necessary security protection, also can be subjected to the monitoring of network management personnel's necessity.
Description of drawings
Further the present invention is described in detail below in conjunction with the drawings and specific embodiments.
Fig. 1 is a network connection diagram provided by the invention.
Fig. 2 is the online schematic flow sheet of internal network user equipment access security gateway opposite side external network (insincere zone or the Internet) among Fig. 1.
Embodiment
Inventive concept is between user's trustable network and unreliable network, this unreliable network typically refers to the Internet: Internet, a kind of network admittable regulation is provided, that is: when the user is from trustable network visit unreliable network, need pass through gateway, bridge is to the terminal of user's online, this terminal typically refers to computer, do security sweep to check the network security personnel reach to the set security configuration of the terminal of user's online whether relevant fail-safe software exists and normally operation, if security configuration that the terminal of user's online is set and relevant fail-safe software normally operation, then allow this user to connect, use unreliable network, ask to connect otherwise refuse this user, use unreliable network.
User security of the present invention uses the operation principle of network to be:
The first step between terminal use's inside trustable network and outside unreliable network, adds this security gateway, bridge equipment, makes user's trustable network connection internally, uses the data of outside unreliable network through this equipment.
Second step, when the user asks connection, the outside unreliable network of use, the network security set needs by the WEB mode (http protocol or HTTPS agreement) of WEB mode or safety user's access terminals to be done security sweep earlier on gateway or the bridge, meets the condition that the network security personnel are provided with configuration and the software environment of confirming user's access terminals.If the configuration of user's access terminals and software environment do not meet the set safety condition of network security personnel, then refuse this user and connect, use outside unreliable network, and security gateway, bridge are given the network security personnel with this report information, so that the network security personnel safeguard.
In the 3rd step, the WEB mode of security gateway, bridge use WEB mode or safety scans terminal use's terminal equipment, and is specific as follows:
When 1) terminal use does not ask the WEB resource of outside unreliable network by security sweep, security gateway, bridge denied access but start security sweep; If during other Internet resources of the outside unreliable network of request, security gateway, bridge denied access and do not start security sweep.When the terminal use asks to connect the WEB resource of outside unreliable network by security sweep, allow this request; When asking other Internet resources of outside unreliable network, go back fibrous root and the concrete security settings of outside unreliable network resource type is determined whether allowing this request according to security gateway, bridge.
2) terminal use does not pass through security sweep, concrete security sweep process is: when the terminal use asks to connect outside unreliable network WEB resource, be forced to be redirected to the WEB page that security gateway, bridge scan terminal equipment and begin scanning automatically, when scanning is passed through, allow this user in a period of time, normally to use, visit the resource of outside unreliable network.
3) terminal use guest's active request security sweep, detailed process is: the terminal use is access security gateway, bridge the WEB page that terminal equipment is scanned voluntarily, and begin automatically to scan, when scanning is passed through, allow this user in a period of time, normally to use, visit the resource of outside unreliable network.
Further, the concrete network of the present invention, structure as shown in Figure 1, user terminal is distributed in the inner trustable network 1, connect outside unreliable network by security gateway or bridge 2, make user's trustable network connection internally, use the data of outside unreliable network (mainly referring to the Internet) through this equipment.
The online flow process of internal network user equipment access security gateway of the present invention or safe bridge opposite side external network specifically as shown in Figure 2, may further comprise the steps:
201) beginning;
202) user surfs the Net by subscriber equipment, and this subscriber equipment is attempted to send request by security gateway or safe bridge visit unreliable network to security gateway or safe bridge;
Does 203) record in query safe gateway or the safe bridge judge that this user has passed through security sweep in a period of time? there is record, enters step 2072; There is not record, enters next step;
204) access request of redirected subscriber equipment, the WEB security sweep program of force users device access security gateway appointment;
205) the WEB program of gateway appointment safe in utilization is done security sweep to subscriber equipment;
Does 206) above-mentioned WEB Automatic Program judge that the software of subscriber equipment operation and configuration thereof meet the security strategy that the keeper formulates? be to enter step 2072; , do not enter next step;
2071) stop the access request of this subscriber equipment, refusing user's online request changes step 208 over to;
2072) allow this subscriber equipment in the access request of specifying in a period of time, allow user's online, and in security gateway or safe bridge this subscriber equipment of record, and set and cease to be in force automatically the time, this time of ceasing to be in force automatically can be 5~30 minutes.
208) finish.
Claims (4)
1, a kind of method that realizes user security access outer net on gateway, bridge adopts security gateway or safety net bridging to connect the structure of inner trustable network and outside unreliable network, may further comprise the steps:
1.1) request: the user connects the resource of outside unreliable network to security gateway or safe bridge request;
1.2) safety inspection: check in security gateway or the safe bridge whether have this user record,, if described resource is the WEB resource, then do not start security sweep to this user software environment and configuration, if scanning is by then writing down this result and this user, and specifies and cease to be in force automatically the time;
1.3) allow or the refusal request: allow described request according to described record or described scanning result who passes through and the security settings that satisfies security gateway or the external portion of safe bridge unreliable network resource type; Otherwise, rejecting said request.
2, according to the described method of claim 1, it is characterized in that the WEB security sweep program of described inner trustable network stored user-accessible, described step 1.1) in resource be the WEB resource, described step 1.2) security sweep uses described WEB security sweep program in, may further comprise the steps:
1.2.1) being redirected user's request, force users is visited described WEB security sweep program;
1.2.2) user call automatically described WEB security sweep program scanning equipment of itself software environment and the configuration and the output scanning result;
1.2.3) described scanning result is transferred to described security gateway or safe bridge.
3, according to claim 1 or 2 described methods, it is characterized in that this method also comprises the active request safety inspection, concrete steps are as follows:
3.1) the WEB page of the described WEB security sweep of user capture program correspondence;
3.2) call the software environment of described WEB security sweep program scanning equipment of itself and dispose also output scanning result;
3.3) described scanning result is transferred to described security gateway or safe bridge;
3.4) if scanning by then writing down this result and this user, and specify and cease to be in force automatically the time.
4, according to the described method of claim 1, it is characterized in that, the described time of ceasing to be in force automatically can be 5 minutes to a week.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100374551A CN100534044C (en) | 2005-09-26 | 2005-09-26 | Method for realizing safety accessing of external network for user in gateway, gate bridge |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100374551A CN100534044C (en) | 2005-09-26 | 2005-09-26 | Method for realizing safety accessing of external network for user in gateway, gate bridge |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1744515A true CN1744515A (en) | 2006-03-08 |
| CN100534044C CN100534044C (en) | 2009-08-26 |
Family
ID=36139728
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100374551A Active CN100534044C (en) | 2005-09-26 | 2005-09-26 | Method for realizing safety accessing of external network for user in gateway, gate bridge |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100534044C (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100426755C (en) * | 2006-11-06 | 2008-10-15 | 吉林大学 | Kernel devices of credible network |
| CN101827252A (en) * | 2010-05-14 | 2010-09-08 | 山东泰信电子有限公司 | System and method for realizing safe internet visit by internet television terminal |
| US8230220B2 (en) | 2007-09-14 | 2012-07-24 | China Iwncomm Co., Ltd. | Method for realizing trusted network management |
| CN107276979A (en) * | 2017-04-26 | 2017-10-20 | 浙江远望信息股份有限公司 | A kind of method that automatic detection terminal device intranet and extranet interconnect behavior |
-
2005
- 2005-09-26 CN CNB2005100374551A patent/CN100534044C/en active Active
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100426755C (en) * | 2006-11-06 | 2008-10-15 | 吉林大学 | Kernel devices of credible network |
| US8230220B2 (en) | 2007-09-14 | 2012-07-24 | China Iwncomm Co., Ltd. | Method for realizing trusted network management |
| CN101827252A (en) * | 2010-05-14 | 2010-09-08 | 山东泰信电子有限公司 | System and method for realizing safe internet visit by internet television terminal |
| CN107276979A (en) * | 2017-04-26 | 2017-10-20 | 浙江远望信息股份有限公司 | A kind of method that automatic detection terminal device intranet and extranet interconnect behavior |
| CN107276979B (en) * | 2017-04-26 | 2021-03-05 | 浙江远望信息股份有限公司 | Method for automatically detecting interconnection behaviors of internal network and external network of terminal equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100534044C (en) | 2009-08-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11947674B2 (en) | Systems and methods for providing security services during power management mode | |
| Provos | Improving Host Security with System Call Policies. | |
| US8453200B2 (en) | Access authorization having embedded policies | |
| US7818781B2 (en) | Behavior blocking access control | |
| CN1885788A (en) | Network safety protection method and system | |
| CN1833228A (en) | An apparatus, system, method and computer program product for implementing remote client integrity verification | |
| CN101069144A (en) | Computer and method for on-demand network access control | |
| CN1863211A (en) | Content filtering system and method thereof | |
| CN1818822A (en) | Buffer field overflow attack detection | |
| CN1854961A (en) | Strategy and method for realizing minimum privilege control in safety operating system | |
| CN1744515A (en) | Method for realizing safety accessing of external network for user in gateway, gate bridge | |
| CN102004882A (en) | Method and device for detecting and processing remote-thread injection type Trojan | |
| EP1643409A2 (en) | Application programming Interface for Access authorization | |
| RU2405198C2 (en) | Integrated access authorisation | |
| EP1643343A2 (en) | Integrated access authorization | |
| EP1811380A1 (en) | Method for protecting the computer data | |
| TWI796683B (en) | Method of client-side application control | |
| RU2535504C1 (en) | System and method for treating website content | |
| CN1567842A (en) | A safety management method based on simple network management protocol (SNMP) | |
| Ott et al. | Approaches to integrated malware detection and avoidance | |
| CA2518004A1 (en) | Integrated access authorization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518000 No. 1001 Nanshan Chi Park building A1 layer Patentee after: SINFOR Polytron Technologies Inc Address before: 518052 room 410, science and technology innovation center, 1 Qilin Road, Shenzhen, Guangdong, Nanshan District Patentee before: Shenxinfu Electronics Science and Technology Co., Ltd., Shenzhen |