CN1885788A - Network safety protection method and system - Google Patents

Network safety protection method and system Download PDF

Info

Publication number
CN1885788A
CN1885788A CN 200510077344 CN200510077344A CN1885788A CN 1885788 A CN1885788 A CN 1885788A CN 200510077344 CN200510077344 CN 200510077344 CN 200510077344 A CN200510077344 A CN 200510077344A CN 1885788 A CN1885788 A CN 1885788A
Authority
CN
China
Prior art keywords
network
security
user terminal
policy server
security policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200510077344
Other languages
Chinese (zh)
Other versions
CN1885788B (en
Inventor
陈有琨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou Huawei 3Com Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Huawei 3Com Technology Co Ltd filed Critical Hangzhou Huawei 3Com Technology Co Ltd
Priority to CN200510077344A priority Critical patent/CN1885788B/en
Publication of CN1885788A publication Critical patent/CN1885788A/en
Application granted granted Critical
Publication of CN1885788B publication Critical patent/CN1885788B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosed network security protective method comprises: providing security strategy server and access device, for external device required access, first isolating into separation area for security certification; if failure, upgrading and repairing by the third server for certification again; after accessing into network, still monitoring user by former security strategy for processing illegal affair. This invention provides more safe and complete self protective function.

Description

Network safety protection method and system
Technical field
The present invention relates to a kind of network safety protection method and system, relate in particular to a kind of method and system that user terminal safe condition in the network is protected.
Background technology
Through application and development for many years, be accompanied by people's going deep into to network software and hardware technology understanding, network security has surpassed the demand to network reliability, exchange capacity and service quality, become the problem that the enterprise customer is concerned about most, network security infrastructure also day by day becomes the most important thing that enterprise network is built.
In enterprise network, new security threat continues to bring out, as the network attack of wreaking havoc day by day, computer network virus etc.Wherein, some network attack is initiated at some leak of operating system, application software, and harmfulness is very big, might cause system and network collapse, significant data is stolen or illegally altered or the like; And computer virus has the person's character of self-reproduction, and this specific character makes its destructiveness and scope to network continue to enlarge, and often causes system crash, network paralysis, makes enterprise suffer heavy losses.
In enterprise network, the safe condition of any station terminal particularly such as anti-virus ability, Patch-level and the system safety setting of terminal, all will directly have influence on the safety of whole network.Do not meet the terminal of enterprise security strategy, low such as anti-virus storehouse version, patch is not upgraded etc., suffers easily to attack, infective virus, if certain station terminal has infected virus, it will constantly attempt to seek next victim in network, and will make its infection; Perhaps after some machine was under attack, these machines might become the accomplice who attacks the promoter, then the critical server in enterprise network is initiated the distributed network attack.Therefore, in a network that does not have a security protection, final the possibility of result is the whole network paralysis, and all terminals all can't operate as normal.
How guaranteeing that the security state of terminal in the network meets the enterprise security strategy, is the challenge that each network manager has to face.In the prior art, present situation is that new patch has been issued, and but nobody comprehends, the existence of the system vulnerability of leaving; New virus has occurred, and untimely upgrading virus base is for poisoning intrusion is opened the floodgates wide.This situation is very general in enterprise network.Yet it but is a job of wasting time and energy that the keeper searches, isolates, repairs these terminals that do not meet security strategy, often causes between the enforcement of enterprise security strategy and terminal security to have huge gap.
Summary of the invention
Technical problem to be solved by this invention provides a kind ofly can carry out unified security strategy preferably, remove the method and system of the network security system of loaded down with trivial details manual strick precaution, upgrading, can be integrated into the security system of an interlock such as network security measures such as terminal security measure such as user terminal anti-virus, patch reparation and network insertion control, access rights controls.
The method that provides among the present invention is carried out network safety prevention by the network that comprises at least one user terminal, a network access equipment and a Security Policy Server, comprises the following steps:
(1) at first is isolated to the isolation network zone during user terminal requests access network;
(2) user terminal is collected security information on the user terminal and is reported described Security Policy Server and carry out safety certification;
(3) network area beyond the described isolation network zone that described user terminal is linked into by described Security Policy Server informing network access device then of safety certification;
Wherein, also provide server in the described network, be positioned at the isolation network zone described in the step (1), for the user terminal that inserts described isolation network zone provides service with the service of third party's network.
Wherein, the service of described third party's network is virus base upgrading or system mend upgrade service, and comprise the steps: further that described Security Policy Server informing user terminal is upgraded and or download up-to-date virus base; Described user terminal cooperates with described third party's webserver, finishes the renewal and or the patch upgrading of download of most current virus storehouse and local virus library.
Wherein, described network access equipment can be switch, router or Virtual Private Network gateway.
In addition, further comprise in this method:
(4) after described user terminal inserts the proper network zone, dispose the incident that whether occurs not meeting network security policy on the regular inquiring user terminal according to the security strategy of Security Policy Server;
(5) if find not meet the incident of network security policy but user terminal can be repaired, then directly be reported to Security Policy Server to carry out postaudit, and return step (4);
(6) if finding the incident and the user terminal that do not meet network security policy can't repair, then user terminal sends the notice request processing to Security Policy Server;
(7) described Security Policy Server is isolated the relative users terminal by network access equipment, and notifies described user terminal to upgrade or reminding subscriber terminal is handled;
(8) user terminal upgrading finish or user terminal processes after, return step (2), carry out safety certification again.
Wherein, network access equipment is isolated user terminal described in the step (7) in the mode of Access Control List (ACL) or VLAN.
Another aspect of the present invention provides a kind of network security protection system, this system comprises at least one network security policy server and at least one network access equipment, user terminal can be connected to the network with network security policy server by network access equipment, it is characterized in that this system also comprises:
A security client module is used for being deployed in request and is linked in the network with described Security Policy Server;
A security strategy service module is located on the network security policy server, is used for disposing in the network that is requested to insert and control execution security strategy;
A network security interaction module is positioned on the network access equipment, is used for isolating or inserting the user terminal with security client module according to the security strategy that described security strategy service module is disposed;
Described user terminal with described security client module is connected to the Security Policy Server with security strategy service module by the network access equipment with network security interaction module.
In addition, also comprise third party's network service module in this system, be positioned on third party's webserver that this third party's webserver is arranged in the isolation network zone, be used to segregate user terminal that the service of third party's network is provided.
Wherein, the service of described third party's network is virus base upgrading or system mend upgrade service, when user terminal is isolated in the isolation network zone, described security strategy service module notice security client module upgrade and or download up-to-date virus base; Described security client module cooperates with described third party's network service module, finishes the renewal and or the patch upgrading of download of most current virus storehouse and local virus library.
Another aspect of the present invention provides a kind of network security protection system, this system comprises Security Policy Server and network access equipment, described Security Policy Server has default security strategy, and in order to the checking access user terminal security information whether meet its security strategy requirement, it is characterized in that, this Security Policy Server will be verified the described network access equipment of result notification, network access equipment issues corresponding access rules according to the checking result, isolates present networks with the access user terminal that will not meet the security strategy requirement.
Wherein, described network access equipment is isolated the described user terminal that does not meet security strategy in a network with third-party server, and this third-party server has the ability of improving the user terminal security information.
Wherein, described third-party server provides the renewal or the patch upgrading of download of most current virus storehouse or local virus library.
Because the method among the present invention is the terminal anti-virus for example; terminal security measure and network insertion controls such as patch reparation; network security measures such as access rights control are integrated into the security system of an interlock; by centralized and unified setting to the security strategy of whole network; and user terminal that will access network at first isolated particular network area; carry out safety certification then; have only safety certification by after could really be linked into shielded network; and to the real-time inspection of the user terminal of access network; isolate; repair; management and monitoring; make the user terminal that does not meet the general safety strategy in time be isolated to certain zone and also carry out the correction of network security automatically; upgrading or the like; utilize these effective safety prevention measures; changed in the prior art; new patch issue in the network; new virus must be carried out heavy upgrading manually after upgrading; the situation of downloading; make the Prevention-Security of whole network; management becomes Passive Defence and is initiatively defence; become the single-point defence and be all-around defense; variation is loose management for the centralized policy management, has promoted network to virus; the whole defence capability of security threat such as worm and network attack.
In addition, the system among the present invention is owing to have security strategy service module, safe access control module and security client module, and third party's service module further is provided, and has and be used for disposing and security strategy is carried out in control at network; The user terminal of isolating access network; And mutual and control functions such as security strategy in the client executing network, thereby well had the function of defending against network attacks to the safety certification of user terminal and server.
In another system of the present invention security strategy and access control are combined, the access user terminal that the effective Control Network access device of energy in time will not meet security strategy is isolated the ad hoc network area of isolation with the service of third party's network, thereby make whole network operate in all the time among the default security strategy, also just avoided interference such as network attacks such as internet worms.
Description of drawings
Fig. 1 is the network typical network environment figure that one embodiment of the invention is used.
Fig. 2 is the network attended operation schematic flow sheet of one embodiment of the invention.
Fig. 3 is the operating process schematic diagram after the network of one embodiment of the invention connects.
Embodiment
Essence of the present invention is to provide safety certification for the user terminal of access network, if the safe condition of user terminal does not meet the security strategy requirement that is access in network, then temporarily this user terminal is isolated in isolation network zone with the service of third party's network, and utilize the service of described third party's network to repair for user terminal carries out corresponding safe condition, make it meet the security strategy demand that is access in network, thereby guaranteed that whole network is among the whole unified security protection Policy Status all the time.In addition, can also control user terminal is monitored in last network process all the time, in case the situation of security strategy occurs not meeting, the whole network of control that will in time take safety measures is without prejudice, for example the user terminal that does not meet the peace strategy is in time carried out above-mentioned isolation, repair process, carry out safety certification then again; Perhaps in time remind the user to have been found that virus but do not isolate, perhaps do not isolate and also do not notify the user and just log or the like measure in Security Policy Server, and form security log, so that better carry out the audit and the setting of security strategy.In a word, using method and system provided by the invention, can effectively be network arrangement, enforcement, monitoring general safety strategy, makes safety management of network become convenient, fast, efficient, flexible.
Further elaborate specific embodiments of the invention below in conjunction with accompanying drawing.
Fig. 1 and hereinafter described will carry out simple and briefly describe to being applicable to the computer network environment that realizes various functions of the present invention, though described network environment was used in the distributed computing environment (DCE) when present embodiment was talked about the network equipment, by a communication network and some communication equipments remote network equipment is linked together, can carry out some additional tasks by these remote network equipments, but those of ordinary skills should be realized that the present invention and can realize with many other computer system configurations, comprise microprocessor system, microcomputer, mainframe computer and router, switch etc.The present invention can be applied to wide area network and local area network (LAN), perhaps particularly realizes in the computer at the single or multiple network equipments that use logic rather than physics remote equipment.
With reference to figure 1, be depicted as the typical network environment figure that one embodiment of the invention is used.Wherein, can comprise one or more user terminals in this network environment; this user terminal can be desktop computer, handheld device or notebook etc.; certainly; skilled one skilled in the art will recognize that; user terminal herein also can be that any other possesses the network equipment of network access facility, and the explanation of Fig. 1 is just schematic, thereby does not constitute the restriction to the invention protection range.
In addition, also needing network access equipment in this network environment, in general, is switch or router, with reference to figure 1, network access equipment in the present embodiment has used switch, and promptly the safety interaction switch uses switch here, and in order to give prominence to the notion of safety certification, called after safety interaction switch, just the convenience in order to illustrate can not constitute limiting the scope of the invention; In addition, also comprising Security Policy Server in this network environment, generally is one or more common computer equipment.
In this network environment, Security Policy Server is arranged in the network that the present invention will make great efforts to protect, but user terminal at first physical connection to network access equipment, such as, switch could and then may have access to resources shared in the network then.
Herein, the access way of user terminal is diversified, and this generally depends primarily on the physics and the logical attribute of security control, user terminal and the network access equipment of network.For example, the starting point of the access of existing general networking all is authentication, because the access of network must be controlled, this is the starting point of network security, otherwise the basic security key element of this network does not possess, unless this network does not need to carry out any security control, certainly, those of ordinary skill in the art can know that the existence of network is rarely found like this.
In a specific embodiment of the present invention, will at first need to carry out authentification of user during accessing user terminal to network, this will make security strategy enforcement, control in the network of the present invention become more effective and perfect.But in the present invention, mandatory declaration is that this authentification of user is optional rather than essential.Therefore, it goes without saying that those skilled in the art should be known in the just explanation and schematic of elaboration to user authentication process in the present embodiment, can not constitute limiting the scope of the invention.
Hereinafter will at first summarize the mode and the realization of setting forth authentification of user.General, the access scheme of user terminal can be that 802.1x inserts networking plan, VPN inserts networking plan or Portal inserts networking plan etc.Accordingly, network access equipment can be switch, router or vpn gateway, realizes 802.1x, Portal as previously described, the end points access control of VPN different authentication modes such as (Virtual Private Network, Virtual Private Networks) respectively.Above-mentioned three kinds of access waies respectively have characteristics, can carry out strict isolation to the user terminal that does not meet security strategy as 802.1x authentication mode networking plan, thereby effectively prevent the security threat from network internal; And, can realize, and then prevent the particularly potential safety hazard of bringing during corporate intranet of mobile office employee or extramural performer person's accesses network to the control of the end points of remote access user's terminal for the VPN authentication mode; Use equipment such as router, high-end switch; then can be in conjunction with the Portal authentication mode in the end points access control of convergence-level realization to the network user; thereby the networking plan of Portal has the characteristics of wide adaptability, can use and plurality of application scenes such as enterprise network outlet, branch's inlet, key area protection.Therefore, three kinds of main access schemes respectively have advantage, should dispose respectively and adopt according to different actual conditions, certainly, those of ordinary skill in the art can know, when having the more network equipment and inserting situation in network, uses three kinds of access waies simultaneously and will obtain better effect.
In the network environment of present embodiment, also comprise third-party server, promptly provide the third party to serve the server that carries out the anti-virus service or the patch service of self-regeneration as terminal.In the present invention, this server Be Controlled is arranged in the special networks zone, such as, with the special network segment that the IP address is distinguished and isolated by network access equipment and other network segments, its purpose is other network equipments of being unlikely to have influence on when request access that is access in the network security strategy or the user terminal that has inserted provide such as services such as third party's service upgrade, operating system patch in the network for not meeting.The service that this third-party server provides is according to different actual conditions and different, can provide the virus base upgrade service such as the antivirus server of the network edition, allows the anti-virus client to carry out online upgrading; Patch server then provides the system mend upgrade service, when the system mend of user terminal can not satisfy safety requirements, can carry out patch download and upgrading by patch server.In fact, the those of skill in the art in this area can know that the network service that provides on third party's webserver can be any necessary service that is provided with according to network security policy.
More than be the concrete network of relation environment that an embodiment of the present invention is used, but in this network environment, also need to carry out function corresponding setting and control, these function setting and control illustrate by software program in the present embodiment, generally speaking, program module comprises routine, program, assembly and the data structure etc. of carrying out particular task or realizing particular abstract.In fact, various aspects of the present invention can illustrate that fully those of ordinary skill in the art will recognize that these aspects also can realize in conjunction with other program module according to the application program of moving in network environment.
Specific functional modules in the network environment that hereinafter will specifically set forth present embodiment and be relied on; in general; the division of these modules only has the meaning on the function logic; those of skill in the art can know; the physics realization of these modules is concrete with diversified, and logical partitioning in the present embodiment and explanation can not constitute the restriction to protection range set forth in the present invention.
At first, user terminal deploy in this network environment the security client module, in the present embodiment, the security client module is mounted in the software program on the client terminal system, and this module is that user terminal is carried out authentication, the requisite parts of security state evaluation, and, the main body that the end points security strategy is carried out in the network, below, will summarize and set forth its main modular and function, specifically comprise:
1) user authentication module can cooperate collaborative work with switch, router, vpn gateway, and multiple authentication modes such as above-mentioned 802.1x, Portal, VPN are provided for the access network user, thereby realizes the end points access control of Access Layer, convergence-level and VPN; As previously mentioned, this module is that optionally on behalf of this module, the elaboration in the present embodiment be absolutely necessary.
2) user terminal initial safe status checkout module can be checked the information such as operating system version, system mend that include but not limited to that exist on the user terminal when the user carries out safety certification; The particularly for example interlock of anti-virus client of third party's service client that possesses on realization and the user terminal simultaneously, thereby the security information such as anti-virus software version, virus base version and checking and killing virus of inspection user terminal.
If client need be done the configuration of what detection when having done authentication in Security Policy Server, after authentification of user passes through so, by Security Policy Server what client need be done and detect (such as operating system version, virus base version or the like) notice client, client detects then, carries out safety certification then.
These information will at first be passed to the corresponding module of Security Policy Server in the safety certification process of network insertion process, thereby will carry out the judgement and the control of end points access effectively.But the content of this operation is optional, this optional be to realize by the relevant configuration on Security Policy Server, such as on Security Policy Server, the configurable virus base version of whether checking when safety certification can be done this detection if disposed just when safety certification.For another example: configurablely whether when safety certification, carry out " virus scan ", if disposed, so at user terminal when carrying out safety certification, check whether the user has virus, if virus is arranged and do not kill, then can be put into user terminal isolated area and notify its upgrading.
3) security strategy is implemented module, and this module major function comprises and is used for receiving security strategy and the execution of force users terminal that Security Policy Server issues in safety certification by the back.After safety certification is passed through, Security Policy Server with the user after having passed through authentification of user and safety certification on need in the network process content of the security monitoring done to be handed down to client such as monitoring mail, monitoring internal memory, monitoring boot section or the like, security strategy implements that module receives the monitoring that the issues indication of Security Policy Server and the execution of the described security strategy of control on user terminal.
This module also is used for the various security incidents on the monitor user ' terminal simultaneously, include but not limited to detect and whether changed security set on the user terminal, whether find new virus etc., and security incident regularly can be reported to Security Policy Server, be used for carrying out security audit afterwards.A kind of working method that need mention especially in this module is, user terminal normally through safety certification and access network after, on continuing in the network process, the client query that security client can regularly be served to the third party, for example, inquire about to the anti-virus client, see if there is virus or the anti-virus client is closed.If this module finds to have virus, and further, virus is not removed by the anti-virus client, then security strategy enforcement module will notify security client to send the notice of this security incident to Security Policy Server, and Security Policy Server will notify access device with user isolation, and the notice security client is upgraded; For the pent situation of anti-virus client, security client can send the notice of this security incident equally to Security Policy Server, and Security Policy Server will announcement apparatus with user isolation, and on user terminal display reminding message, wait for that the user handles, after the user disposes, such as, the user reopens the client of third party's service, carries out safety certification then again.And if find to have virus but removed automatically, security strategy is implemented module and will be notified security client this situation to be offered Security Policy Server and by the Security Policy Server log so.
But the content of this operation is optional, this optional be to realize by the relevant configuration on Security Policy Server, such as on Security Policy Server, configurable whether going up in the network process, monitoring has and does not have virus, if have and do not kill, then can be put into user terminal isolated area and notify its upgrading.In a word, processing mode described herein is flexibly, in general, if find virus and can't remove, can be with its isolation processing, but also can remind the user to have been found that virus do not isolate, perhaps not isolate and also do not notify the user and log in Security Policy Server just, these actions all are configurable.
In the present embodiment network environment also one or more in the Security Policy Server deploy security strategy module, this module is the center of security policy manager and control in the network, has functions such as user management, security policy manager, security state evaluation, safety interaction control and security incident audit concurrently.Specifically can further be divided into lower module:
1) security policy manager module.The a series of strategies that are used for user terminal is carried out access control carry out the centralization setting, this module be the invention provides method must obligato module.In general, the initial setting up of the security strategy on the strategic server and the best interface that is provided by this module by the system manager of modification are configured or revise according to the security strategy that designs in advance.
2) user management module.In the enterprise network, different users, the dissimilar safety inspection and the control that access terminal and may require different stage.Security Policy Server can provide personalized security configuration and network classes of service based on identity for different user, makes things convenient for the keeper network user to be formulated the security strategy of differentiation.Here need to prove, in some embodiments of the invention, also can omit and dispose this module, also can realize basic function of the present invention.Therefore, it goes without saying that, within the scope that such variation also is included in the present invention to be protected.
3) safety interaction control module.Security Policy Server is responsible for assessing the safe condition that security client reports, and utilize this module controls network access equipment, make it the user is put in the isolated area or the user is linked in the network beyond the isolated area, issue the repair mode and the security strategy of user terminal.
4) daily record audit module.Security Policy Server utilizes this module to collect the security incident that is reported by security client, and forms security log, can follow the trail of and the safe condition of the whole network of monitor network provides foundation for the keeper.
It is emphasized that at last the network access equipment in the network environment is the enforcement point of security strategy in the enterprise network in the present embodiment, the effect of playing force users access authentication, isolating defective terminal, provide services on the Internet for validated user.As mentioned above, according to the difference of application scenario, network access equipment can be switch, router or vpn gateway, realizes the end points access control of different authentication modes such as 802.1x, Portal, VPN as previously described respectively.But no matter be which kind of form, in general, the network access equipment among the present invention all has following functional module:
1) authentification of user control module is used for cooperating the identity authentication function of realizing network with the security client module with the corresponding functional part of security strategy module.Certainly, because in the present invention, user authentication process is not essential, and therefore in some embodiments of the invention, described network access equipment may omit this module.
2) user terminal isolation module is used for isolating the user terminal that does not meet security strategy according to the notice of security strategy module.Particularly in user terminal is in normal connection status process with network, if user terminal is found the situation that network security policy occurred not meeting, and can not repair, then need this user terminal forced quarantine, this isolation is mainly to be that action by this module in the network access equipment realizes.Certainly, the mode that it should be noted that isolation also is diversified.A kind of implementation wherein is exactly after network access equipment receives the isolated instructions that Security Policy Server issues, with user terminal with ACL (Access Control List, Access Control List (ACL)) or VLAN (Virtual Local AreaNetwork, VLAN) mode isolate; If the mode with ACL is isolated, then network access equipment will be provided with the ACL strategy for this user, make this user can visit some address and can not visit some address; If isolate in the VLAN mode, then network access equipment will be put into this user among the VLAN of isolated area correspondence.Equally, network access equipment in this module receive after the instruction of removing user isolation also can online releasing to the isolation of user terminal.The mode that it is emphasized that isolation described herein especially includes but not limited to ACL and VLAN mode.Therefore, it goes without saying that those skilled in the art can know that ACL in the present embodiment and the explanation of VLAN are exemplary, can not be construed as limiting protection scope of the present invention.
3) the network service that provides based on identity is provided identity service module.The strategy that network access equipment can issue according to Security Policy Server for the user provides personalized network service, provides different ACL, VLAN etc. as the difference by the user, and certainly, the realization of this module also is optional.
Introduce in detail below in the one embodiment of the invention, the method that is provided concrete operations flow process in actual applications, with reference to figure 2, this flow process is:
1) when user terminal is attempted access network, at first carry out authentification of user by security client, the disabled user will be rejected access network.Certainly, as mentioned above, the user authentication process in the present embodiment can not have yet, and this depends on concrete network safe state setting.But in general; the process that adds authentification of user will make security strategy implement strictness more; fully; simultaneously; the adding of authentification of user; can distinguish different user identity; thereby make Security Policy Server to provide personalized security configuration and network classes of service for different user based on identity; make things convenient for the keeper network user to be formulated the security strategy of differentiation; therefore; be to be that example is set forth in the most preferred embodiment of the present invention according to the system that comprises user authentication module; but this does not show limiting the scope of the invention, in other embodiments of the invention, can omit user authentication module fully; also can realize basic function of the present invention; therefore, it goes without saying that such variation is included within the scope that the present invention protects.And said here authentification of user generally refers to by AAA (Authentication, Authorization, Accounting, authentication, authorize, charge) server the client is authenticated.Herein, the division of aaa server and strategic server only has meaning in logic, and on physical structure, aaa server can be integrated together with strategic server, also can be split into two.Add partition, authentification of user is to be finished by aaa server so, and the safe condition authentication is then cooperated with security client by Security Policy Server and finishes.In addition, the user authen method of mentioning here also can have multiple, and by finishing user side, network access equipment, the common cooperation of Security Policy Server.The authentification of user success thinks that then this user is a validated user.
Whether after 2) authentification of user passes through, Security Policy Server will carry out the safe condition authentication to the user, qualified such as patch release, virus base version etc. by the safe condition of Security Policy Server checking user terminal.
Certainly, need to prove the place one's entire reliance upon setting of security strategy in the network of those information on the user terminal checked herein.For instance, if the inspection of when safety certification, carrying out the anti-virus inspection on the user terminal and whether having carried out patch upgrading, just must on Security Policy Server, for example dispose options such as " checking the antivirus engine version ", " checking the virus base version ", " carrying out virus scan ", " inspection software patch ", if wherein a certain do not dispose just do not carried out this inspection during safety certification so.And if in last network process, carry out some inspection, the setting of need being correlated with equally.
In the safety certification process, security client will pass to Security Policy Server to the security information of this locality such as patch release, virus base version etc., and whether Security Policy Server is qualified according to these security information of configuration determination such as version.When carrying out safety certification, security client also links with third party's service client such as anti-virus client, the specific implementation method of interlock can be that third party's service client provides interface to call for security client, relevant information with checking third party service, with third party's service is that anti-virus software is an example, to check the information such as version, virus base version of anti-virus software in the linkage process, and these information will be reported Security Policy Server.
This wherein, need to determine some information of the third party's service client software on the user terminal, compare with some information of third party's service on the Security Policy Server that is used to carry out safety certification, for example the two that provides compared, and which version is up-to-date.The mode of this comparison and can obtainable result depend on various concrete set-up modes.For example, can be by the information of the manual indicated release of system manager, be lower than the version information of appointment as the version of the third party's service client on the user terminal, then the safety certification of user terminal can not be passed through; Another kind of implementation is such as using adaptive mode, be meant a time range is set, such as, 5 days, if client is caught the security information of coming for example the version information and the version information on the Security Policy Server of patch or virus base is (concrete so, update date in the version) surpassed 5 days if compare the backward time, just need allow the user be connected to third-party server and go to upgrade or download up-to-date virus base.
It should be noted that information that the third party serves for example version whether be up-to-date, specifically be to serve provider oneself by the third party to guarantee to remain up-to-date version.Such as, anti-virus service, guarantee by the producer oneself of anti-virus software whether the virus base version on the virus server in the network is up-to-date all the time, those skilled in the art should know, the general way of the employing of these third party's services is just to connect the Internet at set intervals at present, reads to obtain up-to-date version and downloads to this locality from network (from the website of this antivirus server producer).
In actual conditions, if third-party server, specifically do not upgrade in time such as patch on antivirus server and/or the patch server or virus base version, the version situation lower than the version of user side on the server also may occur, system can control and make user safety authentication not pass through this moment.
3) after safety certification was passed through, strategic server was handed down to client with security set information.Security set information herein generally comprises but whether is not limited to web page monitored, internal memory, mail, malicious script, registration table etc.
4) the security client module is carried out the necessary security setting to user terminal.
5) if safety certification is not passed through, strategic server notice interlocking equipment is put into isolated area with the user, and at this moment interlocking equipment will be provided with ACL for this user, perhaps this user be drawn among the special VLAN, realize isolating.After the isolation, the user can't visit the network outside the isolated area.Simultaneously, strategic server notice client upgrade or (with) download up-to-date virus base.
6) security client cooperates with third-party server, and (download the back security client and cooperate with the anti-virus client, finish the renewal of virus base), patch upgrading etc. are downloaded in the upgrading such as the most current virus storehouse of finishing third party's service; Download herein is divided into again initiatively and passive dual mode, is provided with in Security Policy Server, and adopts the address of which kind of mode and virus or patch server all to be handed down to security client by Security Policy Server.If manually, need go to handle by user oneself; If automatically, then handle automatically by third party software such as anti-virus, the operating system etc. of client.
7) after third party's service upgrade or repairing are finished, will restart safety certification process, repeating step 2)~6).
After the safety certification of online was passed through, the user terminal after this was among the process of network insertion, at this moment still needs the safe condition of user terminal is monitored in real time, adjusted.The precondition of this real-time monitoring, adjustment is the security monitoring information that configuration needs monitoring on Security Policy Server.The concrete operations flow process of monitoring as shown in Figure 3.
With reference to figure 3, this figure summarizes shows operating process when user terminal finds that safe condition is unusual in the normal access procedure of network when, to judge earlier promptly whether this unusual safe condition is recoverable, if it is recoverable, then directly report to Security Policy Server, form daily record by Security Policy Server, be used for postaudit.But in addition on the one hand, if this unusual safe condition user terminal can't be by oneself, then at first isolate the isolation network zone that exists the third party to serve to this user terminal, and cooperate repairing or the prompting user carry out safe condition manually to repair processing by third-party server, after treating that repairing is finished, carry out the safety certification of system again.
With the antivirus protection is example, its concrete operations flow process is, the user behind access network in the network process, security client can to anti-virus client query user whether infected virus or anti-virus client be closed, infected virus if find on the user terminal, and the client of the service of the third party on the user terminal is not removed this virus automatically, send the notice of this security incident so to Security Policy Server by security client then, and after Security Policy Server receives this notice, will the informing network access device with user isolation, and the notice security client is upgraded; If perhaps discovery anti-virus client is closed and can't normally starts again, after then Security Policy Server is received the notice of security client, same meeting informing user terminal, and user terminal is put into isolated area, while display reminding message on user terminal, require the user to handle, after the user normally starts the anti-virus client, carry out safety certification more again.But another situation is, if find virus is arranged but removed automatically by user terminal, so just by security client this situation offered Security Policy Server and by the Security Policy Server log; If the basic security incident that just do not note abnormalities, such as, do not find virus, then will proceed monitoring, repeat said process.
It should be noted that the aforesaid operations process in the network process is optional; Can on Security Policy Server, dispose and whether do this operation.
Promptly as indicated above, the one skilled in the art can know, under said method provided unified design of the present invention, also can design one and have and can carry out unified security strategy, automatic butt is gone into the network security protection system that the network client is monitored, upgraded and repairs.
In view of the above, another object of the present invention provides a kind of network security protection system that network security is integrated the linked protection function that has, this system comprises at least one network security policy server and at least one network access equipment, user terminal can be connected to the network with network security policy server by network access equipment, and this system also comprises:
A security client module is used for being deployed in request and is linked in the network with described Security Policy Server;
A security strategy service module is located on the network security policy server, is used for disposing in the network that is requested to insert and control execution security strategy;
A network security interaction module is positioned on the network access equipment, is used for isolating or inserting the user terminal with security client module according to the security strategy that described security strategy service module is disposed;
Described user terminal with described security client module is connected to the Security Policy Server with security strategy service module by the network access equipment with network security interaction module.
In addition, this system also comprises third party's network service module, is positioned on third party's webserver, and this third party's webserver is arranged in the isolation network zone, is used to segregate user terminal that the service of third party's network is provided.
Wherein, the service of third party's network is virus base upgrading or system mend upgrade service, when user terminal is isolated in the isolation network zone, described security strategy service module notice security client module upgrade and or download up-to-date virus base; Described security client module cooperates with described third party's network service module, finishes the renewal and or the patch upgrading of download of most current virus storehouse and local virus library.
More general, the present invention also provides another network security protection system, this system comprises Security Policy Server and network access equipment, described Security Policy Server has default security strategy, and in order to the checking access user terminal security information whether meet its security strategy requirement, it is characterized in that, this Security Policy Server will be verified the described network access equipment of result notification, network access equipment issues corresponding access rules according to the checking result, isolates present networks with the access user terminal that will not meet the security strategy requirement.
Wherein, described network access equipment is isolated the described user terminal that does not meet security strategy in a network with third-party server, and this third-party server has the ability of improving the user terminal security information.
Wherein, described third-party server provides the renewal or the patch upgrading of download of most current virus storehouse or local virus library.
Though diagram has also been described the preferred embodiments of the present invention, should be appreciated that can to the present invention carry out various changes and and without prejudice to the spirit and scope of the invention.

Claims (13)

1. network safety protection method, this method is carried out network safety prevention by the network that comprises at least one user terminal, at least one network access equipment and at least one Security Policy Server, it is characterized in that comprising the following steps:
(1) at first is isolated to the isolation network zone during user terminal requests access network;
(2) user terminal is collected security information on the user terminal and is reported described Security Policy Server and carry out safety certification;
(3) network area beyond the described isolation network zone that described user terminal is linked into by described Security Policy Server informing network access device then of safety certification.
2. the method for claim 1 is characterized in that also providing in the described network server with the service of third party's network, is positioned at the isolation network zone described in the step (1), for the user terminal that inserts described isolation network zone provides service.
3. method as claimed in claim 2 is characterized in that the service of described third party's network is virus base upgrading or system mend upgrade service, and further comprises the steps:
Described Security Policy Server informing user terminal upgrade and or download up-to-date virus base;
Described user terminal cooperates with described third party's webserver, finishes the renewal and or the patch upgrading of download of most current virus storehouse and local virus library.
4. the method for claim 1 is characterized in that user terminal carried out authentification of user earlier in the step (1) before being isolated to the isolation network zone, and authentification of user does not insert the isolation network zone by being rejected.
5. method as claimed in claim 4 is characterized in that described network access equipment can be switch, router or Virtual Private Network gateway.
6. the method for claim 1 is characterized in that this method further comprises:
(4) after described user terminal inserts the proper network zone, dispose the incident that whether occurs not meeting network security policy on the regular inquiring user terminal according to the security strategy of Security Policy Server;
(5) if find not meet the incident of network security policy but user terminal can be repaired, then directly be reported to Security Policy Server to carry out postaudit, and return step (4);
(6) if finding the incident and the user terminal that do not meet network security policy can't repair, then user terminal sends the notice request processing to Security Policy Server;
(7) described Security Policy Server is isolated the relative users terminal by network access equipment, and notifies described user terminal to upgrade or reminding subscriber terminal is handled;
(8) user terminal upgrading finish or user terminal processes after, return step (2), carry out safety certification again.
7. method as claimed in claim 6 is characterized in that described network access equipment isolates user terminal in the mode of Access Control List (ACL) or VLAN.
8. network security protection system, this system comprises at least one network security policy server and at least one network access equipment, user terminal can be connected to the network with network security policy server by network access equipment, it is characterized in that this system also comprises:
A security client module is used for being deployed in request and is linked in the network with described Security Policy Server;
A security strategy service module is located on the network security policy server, is used for disposing in the network that is requested to insert and control execution security strategy;
A network security interaction module is positioned on the network access equipment, is used for isolating or inserting the user terminal with security client module according to the security strategy that described security strategy service module is disposed;
Described user terminal with described security client module is connected to the Security Policy Server with security strategy service module by the network access equipment with network security interaction module.
9. network security protection system as claimed in claim 8, it is characterized in that also comprising third party's network service module, be positioned on third party's webserver, this third party's webserver is arranged in the isolation network zone, is used to segregate user terminal that the service of third party's network is provided.
10. network security protection system as claimed in claim 9, it is characterized in that the service of described third party's network is virus base upgrading or system mend upgrade service, when user terminal is isolated in the isolation network zone, described security strategy service module notice security client module upgrade and or download up-to-date virus base; Described security client module cooperates with described third party's network service module, finishes the renewal and or the patch upgrading of download of most current virus storehouse and local virus library.
11. network security protection system, it comprises Security Policy Server and network access equipment, described Security Policy Server has default security strategy, and in order to the checking access user terminal security information whether meet its security strategy requirement, it is characterized in that, this Security Policy Server will be verified the described network access equipment of result notification, network access equipment issues corresponding access rules according to the checking result, isolates present networks with the access user terminal that will not meet the security strategy requirement.
12. as network security protection system as described in 11, it is characterized in that, described network access equipment is isolated the described user terminal that does not meet security strategy in a network with third-party server, and this third-party server has the ability of improving the user terminal security information.
13., it is characterized in that described third-party server provides the most current virus storehouse to download or the renewal or the patch upgrading of local virus library as network security protection system as described in 12.
CN200510077344A 2005-06-22 2005-06-22 Network safety protection method and system Active CN1885788B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200510077344A CN1885788B (en) 2005-06-22 2005-06-22 Network safety protection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200510077344A CN1885788B (en) 2005-06-22 2005-06-22 Network safety protection method and system

Publications (2)

Publication Number Publication Date
CN1885788A true CN1885788A (en) 2006-12-27
CN1885788B CN1885788B (en) 2010-05-05

Family

ID=37583780

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200510077344A Active CN1885788B (en) 2005-06-22 2005-06-22 Network safety protection method and system

Country Status (1)

Country Link
CN (1) CN1885788B (en)

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010127578A1 (en) * 2009-05-04 2010-11-11 华为技术有限公司 Method, device and system for authenticating security status of telecommunication device
CN102104507A (en) * 2010-12-06 2011-06-22 杭州华三通信技术有限公司 Method and equipment for inspecting patch
CN102132287A (en) * 2008-08-28 2011-07-20 微软公司 Protecting virtual guest machine from attacks by infected host
CN102171993A (en) * 2011-04-14 2011-08-31 华为技术有限公司 Linkage strategy implementation method and apparatus, open platform veneer and device
CN101123493B (en) * 2007-09-20 2011-11-09 杭州华三通信技术有限公司 Secure inspection method and secure policy server for network access control application system
CN102301373A (en) * 2009-01-29 2011-12-28 微软公司 Health-based Access To Network Resources
CN101599977B (en) * 2009-07-17 2012-04-18 杭州华三通信技术有限公司 Method and system for managing network service
CN101562541B (en) * 2009-05-19 2012-05-23 杭州华三通信技术有限公司 Unified management method and device thereof
CN102915419A (en) * 2011-08-03 2013-02-06 国民技术股份有限公司 Virus scanning method and scanning system
CN101616137B (en) * 2008-06-26 2013-02-27 中兴通讯股份有限公司 Safe access method and isolation method of host machine and safe access and isolation system
CN104410617A (en) * 2014-11-21 2015-03-11 西安邮电大学 Information safety attack and defense system structure of cloud platform
CN104519026A (en) * 2013-09-30 2015-04-15 中国电信股份有限公司 Method and system for controlling security access of virtual machines
CN105007283A (en) * 2015-08-12 2015-10-28 四川神琥科技有限公司 Network safety protection method
CN105516060A (en) * 2014-09-25 2016-04-20 宇龙计算机通信科技(深圳)有限公司 Entrance guard system, terminal, cloud server and safety strategy setting method
CN102915419B (en) * 2011-08-03 2016-12-14 国民技术股份有限公司 A kind of virus scan method and scanning system
CN106878139A (en) * 2017-03-17 2017-06-20 迈普通信技术股份有限公司 Certification escape method and device based on 802.1X agreements
CN108540467A (en) * 2018-04-02 2018-09-14 广东能龙教育股份有限公司 Safety isolation method based on firewall system
CN110198317A (en) * 2019-05-31 2019-09-03 烽火通信科技股份有限公司 A kind of portal authentication method and system based on port
CN110912896A (en) * 2019-11-27 2020-03-24 厦门市美亚柏科信息股份有限公司 Non-invasive HTTP interface security policy injection method
CN111970224A (en) * 2019-05-20 2020-11-20 北京奇安信科技有限公司 Environmental state sensing method and device of terminal equipment and computer equipment
CN112039894A (en) * 2020-08-31 2020-12-04 北京天融信网络安全技术有限公司 Network access control method, device, storage medium and electronic equipment
CN112839031A (en) * 2020-12-24 2021-05-25 江苏天创科技有限公司 Industrial control network security protection system and method

Cited By (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101123493B (en) * 2007-09-20 2011-11-09 杭州华三通信技术有限公司 Secure inspection method and secure policy server for network access control application system
CN101616137B (en) * 2008-06-26 2013-02-27 中兴通讯股份有限公司 Safe access method and isolation method of host machine and safe access and isolation system
CN102132287B (en) * 2008-08-28 2015-02-11 微软公司 Protecting virtual guest machine from attacks by infected host
CN102132287A (en) * 2008-08-28 2011-07-20 微软公司 Protecting virtual guest machine from attacks by infected host
US8954897B2 (en) 2008-08-28 2015-02-10 Microsoft Corporation Protecting a virtual guest machine from attacks by an infected host
CN102301373A (en) * 2009-01-29 2011-12-28 微软公司 Health-based Access To Network Resources
US8561182B2 (en) 2009-01-29 2013-10-15 Microsoft Corporation Health-based access to network resources
CN102301373B (en) * 2009-01-29 2013-06-26 微软公司 Health-based Access To Network Resources
WO2010127578A1 (en) * 2009-05-04 2010-11-11 华为技术有限公司 Method, device and system for authenticating security status of telecommunication device
CN101562541B (en) * 2009-05-19 2012-05-23 杭州华三通信技术有限公司 Unified management method and device thereof
CN101599977B (en) * 2009-07-17 2012-04-18 杭州华三通信技术有限公司 Method and system for managing network service
CN102104507A (en) * 2010-12-06 2011-06-22 杭州华三通信技术有限公司 Method and equipment for inspecting patch
CN102104507B (en) * 2010-12-06 2014-06-25 杭州华三通信技术有限公司 Method and equipment for inspecting patch
CN102171993B (en) * 2011-04-14 2013-09-11 华为技术有限公司 Linkage strategy implementation method and apparatus, open platform veneer and device
CN102171993A (en) * 2011-04-14 2011-08-31 华为技术有限公司 Linkage strategy implementation method and apparatus, open platform veneer and device
US9413592B2 (en) 2011-04-14 2016-08-09 Huawei Technologies Co., Ltd. Linkage policy implementation method and apparatus, open platform board, and device
CN102915419B (en) * 2011-08-03 2016-12-14 国民技术股份有限公司 A kind of virus scan method and scanning system
CN102915419A (en) * 2011-08-03 2013-02-06 国民技术股份有限公司 Virus scanning method and scanning system
CN104519026A (en) * 2013-09-30 2015-04-15 中国电信股份有限公司 Method and system for controlling security access of virtual machines
CN104519026B (en) * 2013-09-30 2018-11-30 中国电信股份有限公司 The secure accessing control method and system of virtual machine
CN105516060A (en) * 2014-09-25 2016-04-20 宇龙计算机通信科技(深圳)有限公司 Entrance guard system, terminal, cloud server and safety strategy setting method
CN104410617A (en) * 2014-11-21 2015-03-11 西安邮电大学 Information safety attack and defense system structure of cloud platform
CN105007283B (en) * 2015-08-12 2018-01-30 四川神琥科技有限公司 A kind of network safety protection method
CN105007283A (en) * 2015-08-12 2015-10-28 四川神琥科技有限公司 Network safety protection method
CN106878139A (en) * 2017-03-17 2017-06-20 迈普通信技术股份有限公司 Certification escape method and device based on 802.1X agreements
CN106878139B (en) * 2017-03-17 2019-09-13 迈普通信技术股份有限公司 Certification escape method and device based on 802.1X agreement
CN108540467A (en) * 2018-04-02 2018-09-14 广东能龙教育股份有限公司 Safety isolation method based on firewall system
CN111970224A (en) * 2019-05-20 2020-11-20 北京奇安信科技有限公司 Environmental state sensing method and device of terminal equipment and computer equipment
CN111970224B (en) * 2019-05-20 2023-08-22 奇安信科技集团股份有限公司 Environment state sensing method and device of terminal equipment and computer equipment
CN110198317A (en) * 2019-05-31 2019-09-03 烽火通信科技股份有限公司 A kind of portal authentication method and system based on port
CN110912896A (en) * 2019-11-27 2020-03-24 厦门市美亚柏科信息股份有限公司 Non-invasive HTTP interface security policy injection method
CN110912896B (en) * 2019-11-27 2022-02-25 厦门市美亚柏科信息股份有限公司 Non-invasive HTTP interface security policy injection method
CN112039894A (en) * 2020-08-31 2020-12-04 北京天融信网络安全技术有限公司 Network access control method, device, storage medium and electronic equipment
CN112839031A (en) * 2020-12-24 2021-05-25 江苏天创科技有限公司 Industrial control network security protection system and method

Also Published As

Publication number Publication date
CN1885788B (en) 2010-05-05

Similar Documents

Publication Publication Date Title
CN1885788A (en) Network safety protection method and system
US11604861B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
US11652829B2 (en) System and method for providing data and device security between external and host devices
US10212134B2 (en) Centralized management and enforcement of online privacy policies
CN1295904C (en) Computer security and management system
US10057284B2 (en) Security threat detection
US8056136B1 (en) System and method for detection of malware and management of malware-related information
US8065712B1 (en) Methods and devices for qualifying a client machine to access a network
US7805752B2 (en) Dynamic endpoint compliance policy configuration
CN1665201A (en) System and method for securing a computer system connected to a network from attacks
US20060164199A1 (en) Network appliance for securely quarantining a node on a network
CN1833228A (en) An apparatus, system, method and computer program product for implementing remote client integrity verification
CN1661970A (en) Network security device and method for protecting a computing device in a networked environment
WO2007069245A2 (en) System and method for providing network security to mobile devices
CN104917779A (en) Protection method of CC attack based on cloud, device thereof and system thereof
CN1863211A (en) Content filtering system and method thereof
CA2680231A1 (en) System and method for providing data and device security between external and host devices
CN1960246A (en) Method for filtering out harmfulness data transferred between terminal and destination host in network
CN1298141C (en) Safety platform for network data exchange
CN1808992A (en) Security management service system and its implementation method
CN111756707A (en) Back door safety protection device and method applied to global wide area network
CN114143077B (en) Terminal safety protection method and device
RU2571725C2 (en) System and method of controlling parameters of applications on computer user devices
CN118740435A (en) Regional boundary safety protection method and system
CN101043409A (en) Method and apparatus for realizing information safety

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CP03 Change of name, title or address