CN1859384B - Method for controlling user's message passing through network isolation device - Google Patents
Method for controlling user's message passing through network isolation device Download PDFInfo
- Publication number
- CN1859384B CN1859384B CN2005101212126A CN200510121212A CN1859384B CN 1859384 B CN1859384 B CN 1859384B CN 2005101212126 A CN2005101212126 A CN 2005101212126A CN 200510121212 A CN200510121212 A CN 200510121212A CN 1859384 B CN1859384 B CN 1859384B
- Authority
- CN
- China
- Prior art keywords
- user
- message
- safety zone
- isolated device
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses controlling user message passing network segregating unit method. Said method includes before user message passing network segregating unit, network segregating unit according to message account number to obtain message domain name, thereof to obtain said message safety zone; network segregating unit establishing information list recorded with message source address, destination address and safety zone for account number message; when message passing network segregating unit, network segregating unit according to message source address and destination address querying information list; according to querying information list acquired network segregating unit security policy to execute relevant operation. The present invention realizes that the individual user has same access authority as long as using same customer accounting code no matter accessing from any port; through rational utilization and partial extending current network isolation model, to realize customer accounting code based fire wall controlling.
Description
Technical field
The present invention relates to a kind of isolated device control method, especially a kind of method of controlling user's message by isolated device.
Background technology
Universal day by day along with Internet, many internal networks (such as: the in-house network of certain company, the in-house network of certain residential quarters) can directly insert the Internet network, this provides a great convenience for people, but this open network has brought many unsafe hidden danger simultaneously.
Usually, in open network, exist many incredible computers, also occurred various types of attack patterns in the network, as: eavesdropping message, address spoofing, address port scanning, worm-type virus etc.These have all caused very big threat to some privately owned sensitive informations, and network security has become the practical problem that industry must be faced.
The Network Isolation technology produces in order to solve such problem.Briefly, the effect that is used to carry out the isolated device (as fire compartment wall) of Network Isolation is exactly to protect a network to avoid the attack of the network of " distrust ", guarantees simultaneously can carry out legal communication between two networks.
Isolated device is done the time spent, avoids the attack of other network for protecting certain network, need divide network.The method of dividing has a variety of, following two kinds of main at present employing:
First kind of mode divided according to individual interface, and each interface can be regarded a network as, and the security strategy of isolated device is applied between interface and the interface.For example, the form of dividing network according to this kind mode can be with reference to shown in Figure 1, and A interface and B interface insert two networks respectively, and isolated device is applied in carries out Network Isolation between A interface and the B interface.
The second way is divided according to the set of interface, and the set of interface is commonly referred to the safety zone, and each safety zone can be understood as the identical network of level of security, and the isolated device application of policies is between safety zone and the safety zone.For example, with reference to shown in Figure 2, A interface, B interface belong to a safety zone Z1, have same level of security, and C interface belongs to another one safety zone Z2.
Present most isolated device generally all provides the isolation model based on the safety zone, each safety zone can add interface arbitrarily according to the actual networking of network, such safety management model can not be subjected to the influence of network topology, uses very flexible.
But, when carrying out Network Isolation according to the safety zone, above-mentioned isolated device only support user's message to pass through actual interface turnover isolated device, but as shown in Figure 3, what suppose that E interface connects is the server of yahoo, webpage as a user capture yahoo, if user's access request message inserts from the A interface, the security strategy that adopts is P1, if user's access request message inserts from C interface, that then adopt is other security strategy P2, obvious like this is irrational, because for a user, no matter insert from any interface, the authority of visit yahoo all should be the same, but this can't realize for the present isolated device based on interface.
Summary of the invention
Technical problem to be solved by this invention provides the method for a kind of user's message by isolated device, and to realize same user by any interface accessing isolated device, the authority of passing through isolated device of its acquisition is all identical.
The technical scheme that solution the technology of the present invention problem is adopted is: a kind of method of controlling user's message by isolated device, and this method comprises:
1) default user's message is by the safety zone under the isolated device;
2) user's message is when the isolated device, determines the safety zone under described default this user's the message;
3) message of controlling this user with the security strategy of the safety zone under the described user's message passes through isolated device.
Further, described step 1) specifically comprises:
Safety zone under A, the designated user;
B, foundation are also preserved this user's message and the mapping relations of the affiliated safety zone of this user.
Wherein, the safety zone under the user of appointment steps A) is the safety zone of domain name correspondence in the user account number.
Wherein, the safety zone of domain name correspondence issues the control information change by certificate server or strategic server in the described user account number.
Wherein, the account number of described user account number for authentification of user is obtained.
Wherein, described authentication is webpage authentication or point-to point protocol recognization.
Wherein, step B) setting up and preserve user's the message and the mapping relations of the affiliated safety zone of this user is:
Determine the mapping of user's the affiliated safety zone of message source address, destination address and user;
Described mapping relations are saved in user message table.
Alternatively, the safety zone of determining described default this user's message described step 2) specifically comprises:
A, according to the source address searching user's information table of user's message, if comprise the source address of described user's message in the user message table, then obtain user's the safety zone of the source address correspondence of this message in the described user message table, otherwise, the affiliated safety zone of incoming interface that obtains described isolated device;
B, according to the destination address searching user's information table of user's message, if comprise the destination address of described user's message in the user message table, then obtain user's the safety zone of the destination address correspondence of this message in the described user message table, otherwise, the affiliated safety zone of outgoing interface that obtains described isolated device.
Alternatively, the safety zone of determining described default this user's message described rapid 2) specifically comprises:
A, according to the destination address searching user's information table of user's message, if comprise the destination address of described user's message in the user message table, then obtain user's the safety zone of the destination address correspondence of this message in the described user message table, otherwise, the affiliated safety zone of outgoing interface that obtains described isolated device;
B, according to the source address searching user's information table of user's message, if comprise the source address of described user's message in the user message table, then obtain user's the safety zone of the source address correspondence of this message in the described user message table, otherwise, the affiliated safety zone of incoming interface that obtains described isolated device.
Wherein, described user account number is the combination of the domain name of user name and user's belonging network operator.
Wherein, the form of the combination of the domain name of user name and user's belonging network operator is username@domainname in the described user account number, username identifying user name wherein, the domain name of domainname identifying user belonging network operator.
Wherein, described isolated device can be fire compartment wall.
The beneficial effect that technical solution of the present invention produced is:
When user's message is by isolated device among the present invention, the message of controlling this user with the security strategy of the safety zone under the default user's message passes through isolated device, realized for a user, no matter insert from any interface, so long as same user, access rights are all identical, thereby can rationally utilize existing fire compartment wall isolation model, realize isolated device (as the fire compartment wall) control based on the user.
Description of drawings
Fig. 1 is the single interface network xegregating unit of a prior art illustraton of model;
Fig. 2 is prior art set interface network xegregating unit illustraton of model;
Fig. 3 is many interface networks of prior art xegregating unit illustraton of model;
Fig. 4 is the main flow chart of user's message of the present invention by the isolated device method.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
As shown in Figure 4, the present invention realizes that user's message comprises by the main flow process of isolated device: default user security zone (step 1), is determined the safety zone (step 2) of user's message and is obtained security strategy and pass through isolated device (three steps of step 3), be without loss of generality, adopting fire compartment wall with described isolated device below is that example describes.
Default user security zone is for presetting user's message by the safety zone under the fire compartment wall among the present invention, at first by the safety zone under the designated user, set up and preserve this user's the message and the mapping relations of the affiliated safety zone of this user then, these mapping relations are the user message table that comprises the affiliated safety zone of message source address, destination address and user.
When user's message passes through fire compartment wall, to determine that at first this desire is by the safety zone under the fire compartment wall user's message, source address and destination address according to user's message remove the searching user's information table, fire compartment wall is at first according to message source address lookup information table, as comprising the source address of this message in the information table, then obtain user's safety zone, otherwise obtain the affiliated safety zone of incoming interface of isolated device, fire compartment wall is according to message destination address Query Information table then, as comprising the destination address of this message in the information table, then obtain user's safety zone, otherwise obtain the affiliated safety zone of outgoing interface of isolated device.
Same, when user's message process fire compartment wall, fire compartment wall also can be at first according to message destination address Query Information table, as comprising the destination address of this message in the information table, then obtain user's safety zone, otherwise obtain the affiliated safety zone of outgoing interface of isolated device; Fire compartment wall as comprising the source address of this message in the information table, then obtains user's safety zone according to message source address lookup information table then, otherwise obtains the affiliated safety zone of incoming interface of isolated device.
Specifically, when user's message passes through fire compartment wall, generally to carry out the authentication of certain form earlier, such as: WEB (webpage) authentication or PPP (point-to-point protocol) authentication etc., and input right user account number and password.The form of user account number is generally: username@domainname, and wherein username is a user name, domainname is used for the domain name of the identifying user belonging network ISP of operator (Internet serviceprovider).
Usually, accept the user of same Virtual network operator ISP (Internet service provider) service, all have same level of security.On fire compartment wall, dispose pairing safety zone, each territory in advance, because each user is corresponding with the territory, this just is equivalent to set in advance user's safety zone, describe with concrete example, as shown in Figure 3, A interface and B interface belong to same safety zone Z1, C interface and D interface belong to same safety zone Z2, E interface belongs to a safety zone Z3, use a cover firewall security policy P1 between Z1 and the Z3, use a cover firewall security policy P2 between Z2 and the Z3, suppose the affiliated safety zone of domain name (domainname) pre-configured is Z1.
When authentification of user, firewall box obtains domain name (domainname) according to user's account number, obtains the affiliated safety zone of user according to domain name (domainname) then.
If the user needs specific safety zone, then ISP also can issue specific safety zone to the certain user after applying for, can issue control information by specific server and change safety zone under these users.This particular server can be authentication and accounting server (as Radius server), strategic server (as COPS server) or the like.
After the user was by authentication, firewall box was set up the user message table of safety zone under user's message and the user for the user, notes user's source address, destination address and affiliated information such as safety zone.
When user's message passes through fire compartment wall, inquire about above-mentioned user message table, obtain the security strategy control and pass through isolated device.
That suppose now that E interface among Fig. 3 connects is Internet, when user username@domainname visits the message process fire compartment wall of Internet, fire compartment wall obtains user message table according to user's address, thereby the safety zone that obtains under it must be Z1, inserts or inserts from C interface no matter the user is the A interface.
Fire compartment wall is according to the safety zone under the outgoing interface of the destination address acquisition isolated device of message, i.e. safety zone Z3 under the E interface.Thereby obtaining firewall security policy is P1.
From then on as can be seen, no matter the user is that interface (such as the A interface) from the Z1 of safety zone inserts, and still the interface (such as C interface) from the Z2 of safety zone inserts.The security strategy that fire compartment wall obtains at last all is P1, thereby has realized the fire compartment wall control based on user account number.
In addition, the safety zone for how obtaining under the user account number is not limited to top said use user message table.Other as: the safety zone under the user is recorded in user's the fib table, obtains also can to realize by looking into fib table.
How to determine the safety zone that user account number is affiliated among the present invention, be not limited to by the territory domain in the number of the account or issuing control information by specific server determines, other as: the safety zone under certain account number of static configuration or certain the IP address also can be realized.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. method of controlling user's message by isolated device is characterized in that this method comprises:
1) default user's message is by the safety zone under the isolated device;
2) user's message is when the isolated device, determines the safety zone under described default this user's the message;
3) message of controlling this user with the security strategy of the safety zone under the described user's message passes through isolated device;
Wherein, described step 1) specifically comprises:
Safety zone under A, the designated user, the safety zone under the user of wherein said appointment is the safety zone of domain name correspondence in the user account number;
B, foundation are also preserved this user's message and the mapping relations of the affiliated safety zone of this user.
2. control user's message according to claim 1 is characterized in that by the method for isolated device the safety zone of domain name correspondence issues the control information change by certificate server or strategic server in the described user account number.
3. control user's message according to claim 2 is characterized in that by the method for isolated device, the account number of described user account number for authentification of user is obtained.
4. control user's message according to claim 3 is characterized in that by the method for isolated device described authentication is webpage authentication or point-to point protocol recognization.
5. control user's message according to claim 1 is characterized in that step B by the method for isolated device) message of setting up and preserve the user with the mapping relations of the affiliated safety zone of this user is:
Determine the mapping of user's the affiliated safety zone of message source address, destination address and user;
Described mapping relations are saved in user message table.
6. control user's message according to claim 5 is characterized in that by the method for isolated device, described step 2) in determine that the safety zone of described default this user's message specifically comprises:
8a, according to the source address searching user's information table of user's message, if comprise the source address of described user's message in the user message table, then obtain user's the safety zone of the source address correspondence of this message in the described user message table, otherwise, the affiliated safety zone of incoming interface that obtains described isolated device;
8b, according to the destination address searching user's information table of user's message, if comprise the destination address of described user's message in the user message table, then obtain user's the safety zone of the destination address correspondence of this message in the described user message table, otherwise, the affiliated safety zone of outgoing interface that obtains described isolated device.
7. control user's message according to claim 5 is characterized in that by the method for isolated device, describedly determines that the safety zone of described default this user's message specifically comprises:
9a, according to the destination address searching user's information table of user's message, if comprise the destination address of described user's message in the user message table, then obtain user's the safety zone of the destination address correspondence of this message in the described user message table, otherwise, the affiliated safety zone of outgoing interface that obtains described isolated device;
9b, according to the source address searching user's information table of user's message, if comprise the source address of described user's message in the user message table, then obtain user's the safety zone of the source address correspondence of this message in the described user message table, otherwise, the affiliated safety zone of incoming interface that obtains described isolated device.
8. control user's message according to claim 1 is characterized in that by the method for isolated device described user account number is the combination of the domain name of user name and user's belonging network operator.
9. control user's message according to claim 8 is by the method for isolated device, it is characterized in that, the form of the combination of the domain name of user name and user's belonging network operator is username@domainname in the described user account number, username identifying user name wherein, the domain name of domainname identifying user belonging network operator.
10. according to the method for any described control user's message of claim 1-9, it is characterized in that described isolated device is a fire compartment wall by isolated device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2005101212126A CN1859384B (en) | 2005-12-29 | 2005-12-29 | Method for controlling user's message passing through network isolation device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2005101212126A CN1859384B (en) | 2005-12-29 | 2005-12-29 | Method for controlling user's message passing through network isolation device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1859384A CN1859384A (en) | 2006-11-08 |
| CN1859384B true CN1859384B (en) | 2011-02-02 |
Family
ID=37298246
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2005101212126A Active CN1859384B (en) | 2005-12-29 | 2005-12-29 | Method for controlling user's message passing through network isolation device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1859384B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197795A (en) * | 2007-12-26 | 2008-06-11 | 华为技术有限公司 | Network service protection method and service gateway |
| CN101714997B (en) * | 2010-01-15 | 2012-11-28 | 中国工商银行股份有限公司 | Firewall strategy-generating method, device and system |
| CN101867620B (en) * | 2010-07-02 | 2013-04-24 | 南京南瑞继保电气有限公司 | Method for viewing pre-message through crossing security zone |
| CN102035895A (en) * | 2010-12-30 | 2011-04-27 | 天津市国瑞数码安全系统有限公司 | Web site supervision method based on HTTP (hypertext transfer protocol) analysis |
| CN105592052B (en) * | 2015-09-10 | 2019-06-07 | 新华三技术有限公司 | A kind of firewall rule configuration method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1545285A (en) * | 2003-11-11 | 2004-11-10 | 中兴通讯股份有限公司 | Method of access control list or security policy database |
| CN1863193A (en) * | 2005-05-10 | 2006-11-15 | 联想网御科技(北京)有限公司 | Method for implementing safety tactics of network safety apparatus |
-
2005
- 2005-12-29 CN CN2005101212126A patent/CN1859384B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1545285A (en) * | 2003-11-11 | 2004-11-10 | 中兴通讯股份有限公司 | Method of access control list or security policy database |
| CN1863193A (en) * | 2005-05-10 | 2006-11-15 | 联想网御科技(北京)有限公司 | Method for implementing safety tactics of network safety apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1859384A (en) | 2006-11-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6961783B1 (en) | DNS server access control system and method | |
| US6131120A (en) | Enterprise network management directory containing network addresses of users and devices providing access lists to routers and servers | |
| JP5702486B2 (en) | System and method for managing a network | |
| CN1719834B (en) | Firewall system , appliance participating in the system and method of updating the firewall rules within the system | |
| US8214482B2 (en) | Remote log repository with access policy | |
| EP1134955A1 (en) | Enterprise network management using directory containing network addresses of users and devices providing access lists to routers and servers | |
| EP3605948B1 (en) | Distributing overlay network ingress information | |
| KR101034938B1 (en) | System and method for managing ipv6 address and connection policy | |
| US7668954B1 (en) | Unique identifier validation | |
| CN100581162C (en) | Method for preventing address parsing cheating | |
| CN201194396Y (en) | Safe gateway platform based on transparent proxy gateway | |
| CN103428211B (en) | Network authentication system based on switch and authentication method thereof | |
| JPH11167536A (en) | Method and device for client/host communication using computer network | |
| CN104158767B (en) | A kind of network admittance device and method | |
| TW200837603A (en) | Virtual firewall | |
| WO2006095438A1 (en) | Access control method, access control system, and packet communication apparatus | |
| JP4252063B2 (en) | User location system | |
| CN1859384B (en) | Method for controlling user's message passing through network isolation device | |
| Keromytis et al. | The STRONGMAN architecture | |
| CN101345743A (en) | Method and system for preventing network attack by utilizing address analysis protocol | |
| CN103442007A (en) | Far-end application service accessing method based on virtual desktop control mode | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| CN100438427C (en) | Network control method and equipment | |
| CN100508453C (en) | A method to filter and verify open real IPv6 source address | |
| CN101083594A (en) | Method and system for managing network appliance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220829 Address after: No. 1899 Xiyuan Avenue, high tech Zone (West District), Chengdu, Sichuan 610041 Patentee after: Chengdu Huawei Technologies Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |