CN1770769A - System and methods for providing network quarantine using ipsec - Google Patents
System and methods for providing network quarantine using ipsec Download PDFInfo
- Publication number
- CN1770769A CN1770769A CN 200510116338 CN200510116338A CN1770769A CN 1770769 A CN1770769 A CN 1770769A CN 200510116338 CN200510116338 CN 200510116338 CN 200510116338 A CN200510116338 A CN 200510116338A CN 1770769 A CN1770769 A CN 1770769A
- Authority
- CN
- China
- Prior art keywords
- computer
- health
- certificate
- network
- health certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
A system and method for ensuring that machines having invalid or corrupt states are restricted from accessing host resources are provided. A quarantine agent (QA) located on a client machine acquires statements of health from a plurality of quarantine policy clients. The QA packages the statements and provides the package to a quarantine enforcement client (QEC). The QEC sends the package to a quarantine Health Certificate Server (HCS)with a request for a health certificate. If the client provided valid statements of health, the HCS grants the client health certificate that may be used in IPsec session negotiation.
Description
The application requires the priority of No. the 60/618th, 139, the U.S. Provisional Application submitted on October 14th, 2004.
Technical field
The present invention relates generally to the computer access management, relate in particular to and before allowing the client access host resource, check its safe condition.
Background technology
In computer network, client computer, server and peer-to-peer use trust model and mechanism to guarantee that unauthorized user can not obtain the visit to host computer on the network usually.These trust models and mechanism are used to discern those users of non-malice.Yet, not having under the situation of user knowledge, user's machine may work the mischief to other computer.For example, machine may comprise virus, or has the ignorant security breaches of user.Thus, no matter the user is a non-malice how, the non-safe condition of subscriber set will cause with network isolated, up to having repaired safety defect.
IPsec has defined a plurality of functions of protection communication, comprises data encryption and data integrity.The source that IPsec uses authorization header (AH) to provide and need not to encrypt authenticates and integrality, and uses the safe and effective load of encapsulation (ESP) to provide together with the authentication and the integrality of encrypting.Adopt IPsec, only sender and recipient know safe key.If verify data is effective, then the recipient knows that this communication does not change from sender and it in transmission.
IPsec can be regarded as the one deck in transmission control protocol/Internet protocol (TCP/IP) stack.This layer controlled by the security association of consulting between the security strategy on each computer and sender and the recipient.This strategy is made up of a set filter and the safety behavior that is associated.If IP address, agreement and the port numbers of packet and filter coupling, then this packet submits to the safety behavior that is associated.The security association that first such packet triggers between sender and the recipient is consulted.Internet key exchange (IKE) is the standard agreement that is used for this negotiation.During ike negotiation, two computers to authentication and data security method reach an agreement, carry out mutual authentication, generation is used for the shared key of follow-up data encryption then.
After having set up security association, transfer of data can continue each computer, and data safe processing is applied to the packet that it sends to long-range recipient.This processing can be guaranteed the integrality of the data that sent simply, and perhaps it also can encrypt these data.The data integrity and the data authentication that are used for the IP useful load can be provided by the authorization header between IP header and transmission header (TH).Authorization header comprises verify data and sequence number, and they are used for verifying the sender jointly, guarantee that message is not modified and prevents Replay Attack in transmission.
ESP is a kind of key format in this architecture, and it provides confidentiality and integrity by encrypting in the data that will protect and the data division that ciphered data is placed on IP ESP.The safety requirements that depends on the user, this mechanism can be used for encrypted transmission interval (for example, TCP, UDP, ICMP, IGMP) or entire I P datagram.The data of packaging protection are for being essential for whole original datagram provides confidentiality.ESP header is inserted into after the IP header and in (transmission mode) before the upper-layer protocol header or before the IP header of encapsulation (tunnel mode).
Yet conventional verification process does not prevent non-safe or or even the machine access main frame of malice.Computer can provide effective authentication, but machine itself may be by virus infections, or comprises security breaches, and these should be repaired before the Internet resources that allow another computer of machine access.Therefore, need in this area a kind ofly to guarantee that client computer is not allowed to visit the system and method for main frame before by safety inspection.
Summary of the invention
In view of above content, the invention provides a kind of main frame that allows and use IP security protocol (IPsec) that the optionally isolated method of network is provided in the network, this is following realization: receive the internet key exchange (IKE) that comprises the client computer Health Claims if if packet, confirm that client computer Health Claims client computer Health Claims effectively then to send main frame Health Claims and client computer Health Claims to client computer invalid then refuse the visit of client computer to main frame from client computer.Health Claims has been described the accordance of client computer for the security strategy of network.This method also comprises if the health certificate of client computer is acceptable, then communication and the client communication by can randomly encrypting.In various embodiments of the present invention, health certificate can be X509 certificate, Kerberos warrant or WS security token.
Another embodiment of the present invention provides a kind of secure good health method of certificate of main frame that allows, send one or more Health Claims, confirm this Health Claims if comprise from health credential server reception Statement of Health Response and health credential server to health credential server, then receive a health certificate and host configuration is become to realize an IPsec strategy, this strategy required the client computer health certificate to client computer authorize the access rights of main frame to client computer before.If Health Claims is not identified, then this Statement of Health Response indication main frame does not meet network security policy.
Another embodiment of the present invention is at a kind of computer network of realizing the isolated model of network.This network comprises first sets of computer, and wherein each computer has a health certificate, and only communicates with the computer that has effective health certificate equally; Second sets of computer, wherein, each computer has a health certificate, and with network in all other computers communicate; And the 3rd sets of computer, wherein each computer does not have health certificate, and with network in whole or its subclass of other computer communicate.Communicating by letter between first sets of computer and between first sets of computer and second sets of computer is to use IPsec to realize.
When reading the detailed description of following illustrative embodiment with reference to the accompanying drawings, can know other features and advantages of the present invention.
Description of drawings
Be incorporated into this accompanying drawing that has also formed the part of this specification and show some aspects of the present invention, and be used to explain principle of the present invention together with the description.In the accompanying drawing:
Figure 1A is the schematic diagram that the example network environment that the present invention operates therein briefly is shown;
Figure 1B be briefly illustrate the present invention the block diagram of a resident exemplary computer system;
Shown in Figure 2 is the mutual schematic diagram of the assembly of one embodiment of the present of invention;
Fig. 3 shows the isolated model of network of the present invention; And
Fig. 4 shows isolation of the present invention and implements client computer;
Fig. 5 shows the process that is used to obtain health certificate according to client computer of the present invention;
Fig. 6 shows according to client computer of the present invention and is used to start the process of communicating by letter with main frame.
Although will describe the present invention, do not have any intention and limit the invention to those embodiment in conjunction with some preferred embodiment.On the contrary, being intended that covering is included in by all alternatives, modification and equivalents within the defined the spirit and scope of the present invention of appended claims.
Embodiment
Turn to accompanying drawing, the present invention is shown in the suitable computing environment and realizes that identical label refers to identical element in the accompanying drawing.Below describe, and should not be considered to limit the present invention herein for the alternative embodiment of clearly not describing based on embodiments of the invention.
An example wherein can using networked environment of the present invention is described referring now to Figure 1A.This example network comprises the some computers 110 that communicate with one another by the network of being represented by cloud 111.Network 111 can comprise many known assemblies, such as router, gateway, interchanger or the like, and allows computer 110 to communicate by wired and/or wireless medium.When by network 111 when mutual each other, one or more computer can be taken on client computer, the webserver, Quarantine Server or for the peer-to-peer of other computer.Therefore, various embodiments of the present invention can realize in client computer, the webserver, Quarantine Server, peer-to-peer or its combination, even the concrete example that this place comprises is not meant the computer of all these types.
Figure 1B shows an example that wherein can realize suitable computingasystem environment 100 of the present invention.Computingasystem environment 100 only is an example of suitable computing environment, is not that the scope of application of the present invention or function are proposed any limitation.Computing environment 100 should be interpreted as the arbitrary assembly shown in the example calculation environment 100 or its combination are had any dependence or demand yet.
The present invention can use numerous other universal or special computingasystem environment or configuration to operate.The example that is applicable to well-known computing system of the present invention, environment and/or configuration includes but not limited to: personal computer, server computer, hand-hold type or laptop devices, multicomputer system, the system based on microprocessor, set-top box, programmable consumer electronics, network PC, minicomputer, large-scale computer, comprise distributed computing environment (DCE) of arbitrary said system or equipment or the like.
The present invention can describe in the general context environmental such as the computer executable instructions of being carried out by computer such as program module.Generally speaking, program module comprises routine, program, object, assembly, data structure or the like, and they are carried out specific task or realize specific abstract data type.The present invention also can put into practice in distributed computing environment (DCE), and wherein, task is carried out by the teleprocessing equipment that connects by communication network.In distributed computing environment (DCE), program module can be arranged in the local and remote computer-readable storage medium that comprises memory storage device.
With reference to Figure 1B, be used to realize that example system of the present invention comprises the universal computing device of computer 110 forms, it can take on client computer, the webserver, Quarantine Server or peer-to-peer in the context of the present invention.The assembly of computer 110 can include but not limited to, processing unit 120, system storage 130 and will comprise that the sorts of systems assembly of system storage 130 is coupled to the system bus 121 of processing unit 120.System bus 121 can be any of some kinds of types of bus structure, comprises memory bus or Memory Controller, peripheral bus and the local bus that uses any all kinds of bus architectures.As example but not limitation, this class architecture comprises industry standard architecture bus, MCA bus, strengthens isa bus, Video Electronics Standards Association's local bus and peripheral component interconnect (pci) bus (being also referred to as the Mezzanine bus).
Above discuss and provide for computer 110 storage of computer-readable instruction, data structure, program module and other data at the computer-readable storage medium of driver shown in Figure 1B and association thereof.For example, in Figure 1B, hard disk drive 141 store operation systems 144, application program 145, other program module 146 and routine data 147 are shown.Notice that these assemblies can be identical with routine data 137 with operating system 134, application program 135, other program module 136, also can be different with them.Here give different labels to operating system 144, application program 145, other program module 146 and routine data 147 and illustrate that they are different copies at least.
The user can pass through input equipment, as keyboard 162 and pointing device 161 (being often referred to mouse, tracking ball or touch pad) to computer 110 input commands and information.Other input equipment (not shown) can comprise microphone, joystick, game mat, satellite dish, scanner or the like.These and other input equipment is connected to processing unit 120 by the user's input interface 160 that is coupled to system bus 121 usually, but also can be connected with bus structures by other interface, as parallel port, game port or USB.The display device of monitor 191 or other type also by interface, is connected to system bus 121 as video interface 190.Except that monitor 191, computer 110 also can comprise other peripheral output equipment, and as loud speaker 197 and printer 196, they connect by output peripheral interface 195.
When using in the lan network environment, computer 110 is connected to LAN 171 by network interface or adapter 170.When using in the WAN network environment, computer 110 generally includes modulator-demodulator 172 or is used for by WAN 173, sets up other device of communication as the internet.Modulator-demodulator 172 can be internal or external, and it is connected to system bus 121 by user's input interface 160 or other suitable mechanism.In networked environment, can be stored in the remote memory storage device 181 with respect to personal computer 110 described program modules or its part.As example, but not limitation, Figure 1B illustrates remote application 185 and resides in the memory devices 181.Be appreciated that it is exemplary that the network that illustrates connects, and also can use other device of setting up communication link between computer.
In the following description, will the present invention be described with reference to the action of carrying out by one or more computers and the symbolic representation of operation, except as otherwise noted.Thus, be appreciated that action of this class and operation, be sometimes referred to as that computer carries out, the processing unit that comprises computer is to representing the manipulation of the signal of telecommunication of data with structured form.This manipulation transforms safeguard it on data or the position in the accumulator system of computer, thereby reshuffle or changed the operation of computer in the mode that those skilled in the art understands.The data structure of service data is the physical location of memory, has the defined concrete property of form of data.Yet although describe the present invention in above-mentioned context environmental, it does not also mean that restriction, and as understood by those skilled in the art, hereinafter described exercises and operation also can realize with hardware.
The present invention is directed to the enforcement mechanism that is used for network access protection, it has made up IP safety (IPsec) agreement and host firewall provides network isolated.The combination of IPsec and host firewall is called as authenticating firewall (AFW).Isolate enforcement client computer (QEC) and on main frame, operate, to coordinate IPsec and firewall policy.QEC also is responsible for obtaining health certificate to communicate with other main frame of having enabled the IPsec strategy.
Fig. 2 has described wherein can realize typical network environment of the present invention.Client computer 200 sends Health Claims (SoH) to health credential server (HCS) 210.HCS is by internet certificate server (IAS) 200 checking SoH, the updating strategy requirement that IAS 200 safeguards from strategic server 230a, 230b, 230c.If SoH has passed through all tactful requirements, then HCS 210 provides health certificate to client computer 200.Client computer 200 can be used then among this health certificate and Fig. 2 and wait other shielded system to communicate such as vpn gateway 240 or Dynamic Host Configuration Protocol server 250.
HCS provides certificate to the client computer that satisfies health examination.In one embodiment, health certificate be have very short life cycle (configurable, but only hour the order of magnitude on) the X509 certificate.Yet, but health certificate can be any verification msg structure of the health status of indication system, such as Kerberos warrant or WS security token.In case system has had health certificate, it can use it by confirm its health status to other system authentication.In one embodiment, HCS is independently, this means that then HCS does not need to be integrated in the PKI hierarchy if the PKI hierarchy has been installed.In another embodiment, HCS is integrated among the existing P KI and is used for administrative purposes, or allows health certificate to be tied to specific entity.As the part of standard NAP program designation, the root certificate of client computer from its HCS will be given.Client computer can be with this root certificate install to being exclusively used in the privately owned storage of isolating purpose (if made full use of existing P KI, then system's supposition has been supplied the root trust and has not been needed program designation), perhaps it can be with the root certificate install in machine or user's standard certificate storage.
AFW is isolated to be different from by other isolates isolated that the mechanism of enforcement provides such as DHCP and 802.1x etc.AFW is isolated to be implemented in distributed mode by each separate host, but not concentrates enforcement at the some place that network connectivty is provided.Even this means to each main frame to give under the situation that has malicious host on the network, also to protect its oneself ability, and wait other to implement for the mechanism that this is impossible for isolating such as DHCP or 802.1x.AFW is the unique isolated option that can provide on the basis of each main frame, each port or each application program.
The AFW isolation is divided into three or more logic box with physical network, as shown in Figure 3.Each computer is present in one and only in logic box at any given time.Ring has with the health certificate communicating requirement according to health certificate and defines.All systems of hoop give the maximum communication ability, and simultaneously the system that still protects the health is not subjected to attack from non-health system.Guard ring is defined as having health certificate and can requires its peer-to-peer to have the set of the computer of health certificate.Most of client-server are present in this ring.According to site policy by keeper definition, the computer in the guard ring can be freely with guard ring or Boundary Loop in some or all compunications.Equally according to site policy, as long as the computer starting communication in the guard ring, they just can with the compunication in the shading ring.For example, the server requests webpage that the client computer in the guard ring may can be in shading ring.Yet, stop the server requests webpage of client computer in guard ring in the shading ring.If the keeper determines to isolate specific application program (whole computer is opposite with isolating), then the communication between the ring is restricted for those application programs only.For example, if isolated FTP communication, then stop FTP client computer in the shading ring to be connected to ftp server in the guard ring.Yet in this particular case, these two computers can freely be communicated by letter by HTTP equally, and no matter its ring members qualification how.
Boundary Loop is defined as having health certificate but does not require that its peer-to-peer has the set of the computer of health certificate.These computers can be freely and any other compunication, and no matter the ring members qualification how.Boundary Loop comprises considerably less computer usually, and they are configured to be present in the there especially.System in the Boundary Loop normally needs no matter how the ring members qualification all starts the server to the traffic of All Clients.For example, patch server need the client computer in shading ring provide patch, so that be those client computer granting health certificates.It also needs the client computer in the service protection ring, and accepts the communication from the management server in the guard ring.
Shading ring is defined as not having the set of the computer of health certificate.Because they do not finish health examination, they may not have health certificate, so they are the visitors on the network, and perhaps they can not participate in shielding system.Computer in the shading ring can be freely with computer in guard ring compunication.Those skilled in the art will recognize that by changing IPsec strategy and requirement and can realize other isolated model.
Turn to Fig. 4, isolate enforcement client computer (QEC) 430 with AFW and on client computer 400, expanded the isolation platform architecture.The purpose of AFW QEC is to consult with certificate and correspondingly configuration of IP sec and the firewall component of securing good health with health credential server.Quarantine agent (QA) is coordinated with assembling SoH with System Health Agent (SHA) 410a, 410b, 410c.Each SHA 410a, 410b, 410c are responsible for determining whether client computer satisfies required All Policies of health certificate and requirement.QA 420 obtains the result of these inspections by SHA API, and they are assembled into the SoH that can offer QEC 430.When QEC 430 obtained new health certificate, QEC 430 at first passed to HCS 470 with SoH and any Service Ticket.In one embodiment, this transmission is undertaken by Secure Hypertext Transfer Protocol (HTTPS).If QEC 430 satisfies all tactful requirements, then QEC430 receives SoH response and health certificate from HCS 470.QEC430 carries out the configuration of isolated by default rule to fire compartment wall and IPsec subsystem 460.If shielding system is independently, then QEC is placed into health certificate in the privately owned certificate storage 450.If client computer is not by all health examination, then QEC receives one or more SoH responses from HCS, and this response notice client computer does not satisfy one or more tactful requirements.But the unsatisfied specific requirement of SoH response set forth in detail client computer.QEC can choose a repairing server then and to install client computer be taken back required patch of health status and renewal.
Fig. 5 shows the process of being followed when system participates in the AFW shielding system.In step 510, system's guiding.It obtains unrestricted IP address (supposition is not adopted based on the isolation of DHCP and implemented) from its Dynamic Host Configuration Protocol server.System's fire compartment wall is in the pattern of " open and without any exception ", does not therefore have other system can be connected to it.In this, system is in the shading ring, because it does not have up-to-date health certificate.It may be able to communicate with the system of other isolation and the Internet accessible.Computer in the guard ring stops this system to be connected to them.In step 520, AFW QEC starts.QEC starts to the connection of health credential server (HCS), and confirms that by contrasting credible HCS server list its certificate confirms that this HCE is believable in step 530.In step 540, QEC sends to HCS with current Health Claims (SoH) information of client computer.In step 550, HCS is delivered to the IAS server with SoH information.In step 560, the IAS server determines whether and should authorize health certificate to client computer based on this SoH information and configured strategy thereof.Whether the IAS server is with Statement of Health Response (SoHR) and show and should send it back health credential server together to the value that client computer is provided health certificate.
In step 570, health credential server is transmitted back AFW QEC with SoHR.If client computer has been passed through health examination, then provide health certificate to it this moment.As long as new SoH information arrives quarantine agent or as long as current health certificate will be soon expired, AFW QEC just experiences step 530 to 570.If provide health certificate to AFW QEC, then it adds this certificate in step 580 the machine storage of computer.Its configuration of IP sec subsystem with attempt to it can this health certificate of any peer authentication.Its uses the connection of importing into of any peer-to-peer that IPsec configure host fire compartment wall authenticates with the health certificate that allows use by oneself.In this, computer is operated in guard ring now.
Can not participate in system that AFW isolates is directed in the shading ring simply and rests on the there.Its may access the Internet and possible any other computer that can visit in Boundary Loop or the shading ring.The guard ring computer can be connected to these computers, but then can not on the contrary.
Fig. 6 shows client computer and is used to start and the process of communicating by letter of having enabled the IPsec main frame.In step 610, client computer sends the IKE packet that comprises the client computer health certificate to main frame.In step 620, this health certificate of host acknowledgement, and by providing its oneself health certificate to respond.In step 630, client computer is used ESP to start TCP/IP and is shaken hands.In step 640, finish and shake hands, and can the randomly communication of encryption enabled between client computer and main frame.
More than the description of various embodiments of the present invention is proposed for the purpose of illustration and description.It does not plan limit or limit the invention to disclosed accurate embodiment.In view of above explanation, many modifications or variant are possible.Select and describe the embodiment that discussed, make those of ordinary skill in the art can be in each embodiment and thus with being applicable to that the various modifications of the special-purpose of being conceived use the present invention so that the best illustration to principle of the present invention and practical application thereof to be provided.When explaining according to width fair, legal and that authorize equitably, modification that all are such and variant are all within the scope of being determined by appended claims of the present invention.
Claims (20)
1. one kind makes main frame use IP security protocol (IPsec) that the optionally isolated method of network is provided in the network, comprising:
Receive internet key exchange (IKE) packet that comprises the client computer health certificate from client computer;
Confirm described client computer health certificate;
If described client computer health certificate is effective, then send the main frame health certificate to described client computer; And
If described client computer health certificate is invalid, then refuse of the visit of described client computer to described main frame.
2. the method for claim 1 is characterized in that, health certificate indicates the owner of described certificate to meet the security strategy of described network.
3. the method for claim 1 is characterized in that, also comprises if described client computer health certificate is effective, then by IPsec communication and described client communication.
4. the method for claim 1 is characterized in that, described health certificate is the X509 certificate.
5. the method for claim 1 is characterized in that, described health certificate is the Kerberos warrant.
6. the method for claim 1 is characterized in that, described health certificate is the WS security token.
7. computer-readable medium that stores the computer executable instructions that is used to carry out the method for claim 1 on it.
8. method that makes main frame be used to obtain health certificate comprises:
Send at least one Health Claims to health credential server;
Receive at least one Statement of Health Response from health credential server; And
If described at least one Health Claims is confirmed by described health credential server, then receive a health certificate and described host configuration is become to realize an IPsec strategy, described IPsec strategy required the client computer health certificate to described client computer authorize the access rights of described main frame to client computer before.
9. method as claimed in claim 8 is characterized in that, if described at least one Health Claims is not identified, then described at least one Statement of Health Response indicates described main frame not meet network security policy.
10. method as claimed in claim 8 is characterized in that, described health certificate is the X509 certificate.
11. method as claimed in claim 8 is characterized in that, described health certificate is the Kerberos warrant.
12. method as claimed in claim 8 is characterized in that, described health certificate is the WS security token.
13. computer-readable medium that stores the computer executable instructions that is used to carry out method as claimed in claim 8 on it.
14. a computer network of realizing the isolated model of network comprises:
First sets of computer, wherein, each computer has a health certificate, and only communicates with the computer that has effective health certificate equally;
Second sets of computer, wherein, each computer has a health certificate, and communicates with all other computers in the described network; And
The 3rd sets of computer, wherein, each computer does not have health certificate, and communicates with all other computers in the described network.
15. network as claimed in claim 14 is characterized in that, communicating by letter between described first sets of computer and between described first sets of computer and described second sets of computer is to use IPsec to realize.
16. network as claimed in claim 14 is characterized in that, described health certificate is the X509 certificate.
17. network as claimed in claim 14 is characterized in that, described health certificate is the Kerberos warrant.
18. network as claimed in claim 14 is characterized in that, described health certificate is the WS security token.
19. network as claimed in claim 14 is characterized in that, described health certificate indicates the owner of described certificate to meet the security strategy of being set up of described network.
20. network as claimed in claim 14 is characterized in that, described first sets of computer can start and the communicating by letter of described the 3rd sets of computer, but described the 3rd sets of computer can not start and the communicating by letter of described first sets of computer.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US61813904P | 2004-10-14 | 2004-10-14 | |
| US11/056,276 | 2005-02-14 | ||
| US60/618,139 | 2005-10-14 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1770769A true CN1770769A (en) | 2006-05-10 |
Family
ID=36751761
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200510116338 Pending CN1770769A (en) | 2004-10-14 | 2005-10-14 | System and methods for providing network quarantine using ipsec |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN1770769A (en) |
| ZA (1) | ZA200508074B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100405766C (en) * | 2006-09-18 | 2008-07-23 | 北京明朝万达科技有限公司 | A method to control network separation based on mode switch |
| CN100596069C (en) * | 2006-08-15 | 2010-03-24 | 中国电信股份有限公司 | Automatic configuration system and method of IPSec safety tactis in domestic gateway |
| CN101127744B (en) * | 2007-09-29 | 2010-10-13 | 杭州华三通信技术有限公司 | Separation prompt method and system for illegal client and gateway device |
| CN101506819B (en) * | 2006-08-31 | 2011-07-27 | 富士通株式会社 | Network connected terminal device authenticating method, network connected terminal device authenticating system and network connected terminal device |
| CN102299914A (en) * | 2010-06-24 | 2011-12-28 | 微软公司 | Trusted intermediary of access controlfor for enabling network layer claims |
| CN102299915A (en) * | 2010-06-24 | 2011-12-28 | 微软公司 | Access control based on network layer claims |
| CN102612820A (en) * | 2009-11-12 | 2012-07-25 | 微软公司 | IP security certificate exchange based on certificate attributes |
| CN106170963A (en) * | 2014-02-24 | 2016-11-30 | 霍尼韦尔国际公司 | The apparatus and method of seamless safety communication are set up between the parts in Industry Control and automated system |
| CN108886530A (en) * | 2016-04-11 | 2018-11-23 | 华为技术有限公司 | The activation of mobile device in Enterprise Mobile management |
| CN111294223A (en) * | 2018-12-07 | 2020-06-16 | 网宿科技股份有限公司 | Method and system for configuring multiple isolation spaces in strongswan |
-
2005
- 2005-10-06 ZA ZA200508074A patent/ZA200508074B/en unknown
- 2005-10-14 CN CN 200510116338 patent/CN1770769A/en active Pending
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100596069C (en) * | 2006-08-15 | 2010-03-24 | 中国电信股份有限公司 | Automatic configuration system and method of IPSec safety tactis in domestic gateway |
| CN101506819B (en) * | 2006-08-31 | 2011-07-27 | 富士通株式会社 | Network connected terminal device authenticating method, network connected terminal device authenticating system and network connected terminal device |
| CN100405766C (en) * | 2006-09-18 | 2008-07-23 | 北京明朝万达科技有限公司 | A method to control network separation based on mode switch |
| CN101127744B (en) * | 2007-09-29 | 2010-10-13 | 杭州华三通信技术有限公司 | Separation prompt method and system for illegal client and gateway device |
| CN102612820B (en) * | 2009-11-12 | 2016-03-02 | 微软技术许可有限责任公司 | IP safety certificate based on certificate attribute exchanges |
| US9912654B2 (en) | 2009-11-12 | 2018-03-06 | Microsoft Technology Licensing, Llc | IP security certificate exchange based on certificate attributes |
| CN102612820A (en) * | 2009-11-12 | 2012-07-25 | 微软公司 | IP security certificate exchange based on certificate attributes |
| CN102299914A (en) * | 2010-06-24 | 2011-12-28 | 微软公司 | Trusted intermediary of access controlfor for enabling network layer claims |
| US9344432B2 (en) | 2010-06-24 | 2016-05-17 | Microsoft Technology Licensing, Llc | Network layer claims based access control |
| CN102299914B (en) * | 2010-06-24 | 2016-06-01 | 微软技术许可有限责任公司 | For enabling the trusted intermediary accessing control of Internet statement |
| CN102299915B (en) * | 2010-06-24 | 2017-03-01 | 微软技术许可有限责任公司 | Access control based on Internet statement |
| CN102299915A (en) * | 2010-06-24 | 2011-12-28 | 微软公司 | Access control based on network layer claims |
| CN106170963A (en) * | 2014-02-24 | 2016-11-30 | 霍尼韦尔国际公司 | The apparatus and method of seamless safety communication are set up between the parts in Industry Control and automated system |
| CN106170963B (en) * | 2014-02-24 | 2019-08-27 | 霍尼韦尔国际公司 | The device and method of secure communication are established between control and the component of automated system |
| CN108886530A (en) * | 2016-04-11 | 2018-11-23 | 华为技术有限公司 | The activation of mobile device in Enterprise Mobile management |
| CN108886530B (en) * | 2016-04-11 | 2021-02-12 | 华为技术有限公司 | Method for activating mobile device in enterprise mobile management and mobile device |
| CN111294223A (en) * | 2018-12-07 | 2020-06-16 | 网宿科技股份有限公司 | Method and system for configuring multiple isolation spaces in strongswan |
Also Published As
| Publication number | Publication date |
|---|---|
| ZA200508074B (en) | 2007-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1770769A (en) | System and methods for providing network quarantine using ipsec | |
| CN102047262B (en) | Authentication for distributed secure content management system | |
| JP5860815B2 (en) | System and method for enforcing computer policy | |
| US9781114B2 (en) | Computer security system | |
| JP5021215B2 (en) | Reliable third-party authentication for web services | |
| ES2556245T3 (en) | System and procedure for secure network connectivity | |
| US8528047B2 (en) | Multilayer access control security system | |
| US7313618B2 (en) | Network architecture using firewalls | |
| US7661131B1 (en) | Authentication of tunneled connections | |
| Stewart | Network Security, Firewalls and VPNs | |
| US20100162356A1 (en) | Hierarchical Trust Based Posture Reporting and Policy Enforcement | |
| US20060085850A1 (en) | System and methods for providing network quarantine using IPsec | |
| US20090193503A1 (en) | Network access control | |
| CN1703867A (en) | Firewall | |
| CN1578218A (en) | Reducing network configuration complexity with transparent virtual private networks | |
| US20070011448A1 (en) | Using non 5-tuple information with IPSec | |
| Stapko | Practical embedded security: building secure resource-constrained systems | |
| US20070150947A1 (en) | Method and apparatus for enhancing security on an enterprise network | |
| CN200962603Y (en) | A trustable boundary security gateway | |
| KR100737518B1 (en) | Network access control using end point integrity, and building method | |
| Serrao | Network access control (NAC): An open source analysis of architectures and requirements | |
| Kleberger et al. | Securing vehicle diagnostics in repair shops | |
| Song et al. | Trusted web service | |
| Das et al. | Testing and securing web applications | |
| Ganguly | Network and application security: fundamentals and practices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20060510 |