CN1885788B - Network safety protection method and system - Google Patents
Network safety protection method and system Download PDFInfo
- Publication number
- CN1885788B CN1885788B CN200510077344A CN200510077344A CN1885788B CN 1885788 B CN1885788 B CN 1885788B CN 200510077344 A CN200510077344 A CN 200510077344A CN 200510077344 A CN200510077344 A CN 200510077344A CN 1885788 B CN1885788 B CN 1885788B
- Authority
- CN
- China
- Prior art keywords
- network
- user terminal
- security
- security policy
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The disclosed network security protective method comprises: providing security strategy server and access device, for external device required access, first isolating into separation area for security certification; if failure, upgrading and repairing by the third server for certification again; after accessing into network, still monitoring user by former security strategy for processing illegal affair. This invention provides more safe and complete self protective function.
Description
Technical field
The present invention relates to a kind of network safety protection method and system, relate in particular to a kind of method and system that user terminal safe condition in the network is protected.
Background technology
Through application and development for many years, be accompanied by people's going deep into to network software and hardware technology understanding, network security has surpassed the demand to network reliability, exchange capacity and service quality, become the problem that the enterprise customer is concerned about most, network security infrastructure also day by day becomes the most important thing that enterprise network is built.
In enterprise network, new security threat continues to bring out, as the network attack of wreaking havoc day by day, computer network virus etc.Wherein, some network attack is initiated at some leak of operating system, application software, and harmfulness is very big, might cause system and network collapse, significant data is stolen or illegally altered or the like; And computer virus has the person's character of self-reproduction, and this specific character makes its destructiveness and scope to network continue to enlarge, and often causes system crash, network paralysis, makes enterprise suffer heavy losses.
In enterprise network, the safe condition of any station terminal particularly such as anti-virus ability, Patch-level and the system safety setting of terminal, all will directly have influence on the safety of whole network.Do not meet the terminal of enterprise security strategy, low such as anti-virus storehouse version, patch is not upgraded etc., suffers easily to attack, infective virus, if certain station terminal has infected virus, it will constantly attempt to seek next victim in network, and will make its infection; Perhaps after some machine was under attack, these machines might become the accomplice who attacks the promoter, then the critical server in enterprise network is initiated the distributed network attack.Therefore, in a network that does not have a security protection, final the possibility of result is the whole network paralysis, and all terminals all can't operate as normal.
How guaranteeing that the security state of terminal in the network meets the enterprise security strategy, is the challenge that each network manager has to face.In the prior art, present situation is that new patch has been issued, and but nobody comprehends, the existence of the system vulnerability of leaving; New virus has occurred, and untimely upgrading virus base is for poisoning intrusion is opened the floodgates wide.This situation is very general in enterprise network.Yet it but is a job of wasting time and energy that the keeper searches, isolates, repairs these terminals that do not meet security strategy, often causes between the enforcement of enterprise security strategy and terminal security to have huge gap.
Summary of the invention
Technical problem to be solved by this invention provides a kind ofly can carry out unified security strategy preferably, remove the method and system of the network security system of loaded down with trivial details manual strick precaution, upgrading, can be integrated into the security system of an interlock such as network security measures such as terminal security measure such as user terminal anti-virus, patch reparation and network insertion control, access rights controls.
The method that provides among the present invention is carried out network safety prevention by the network that comprises at least one user terminal, a network access equipment and a Security Policy Server, comprises the following steps:
(1) carry out authentification of user earlier during the user terminal requests access network, authentification of user is not linked into the isolation network zone by being rejected by then being isolated to the isolation network zone;
(2) user terminal is collected the security information of representing user terminal inherently safe state on the user terminal and is reported described Security Policy Server, whether described Security Policy Server carries out safety certification to user terminal self, qualified with the safe condition of determining described user terminal;
(3) safety certification is linked into network area beyond the described isolation network zone by described Security Policy Server informing network access device then with described user terminal;
Described user terminal is linked into network area beyond the described isolation network zone after, also comprise:
When (4) user terminal is found not meet the incident of network security policy, send notice request to Security Policy Server and handle;
(5) described Security Policy Server is isolated the relative users terminal by network access equipment, and notifies described user terminal to upgrade or reminding subscriber terminal is handled.
Wherein, also provide server in the described network, be positioned at the isolation network zone described in the step (1), for the user terminal that inserts described isolation network zone provides service with the service of third party's network.
Wherein, the service of described third party's network is virus base upgrading or system mend upgrade service, and comprise the steps: further that described Security Policy Server informing user terminal is upgraded and or download up-to-date virus base; Described user terminal cooperates with described third party's webserver, finishes the renewal and or the patch upgrading of download of most current virus storehouse and local virus library.
Wherein, described network access equipment can be switch, router or Virtual Private Network gateway.
When described user terminal is found not meet the incident of network security policy, before Security Policy Server sends the notice request processing, also comprise:
(6) after described user terminal inserts the proper network zone, dispose the incident that whether occurs not meeting network security policy on the regular inquiring user terminal according to the security strategy of Security Policy Server;
(7) if find not meet the incident of network security policy but user terminal can be repaired, then directly be reported to Security Policy Server to carry out postaudit, and return step (6);
(8) if finding the incident and the user terminal that do not meet network security policy can't repair, then carry out step (4);
Describedly notify described user terminal to upgrade or after reminding subscriber terminal handles, also comprise:
(9) user terminal upgrading finish or user terminal processes after, return step (2), carry out safety certification again.
Wherein, described network access equipment is isolated user terminal in the mode of Access Control List (ACL) or VLAN.
Another aspect of the present invention provides a kind of network security protection system, this system comprises a network security policy server and at least one network access equipment at least, described network access equipment carries out authentification of user earlier when described user terminal requests access network, authentification of user is by then being isolated to the isolation network zone, be not linked into the isolation network zone by being rejected, the user terminal that is arranged in described isolation network zone can be connected to the network with network security policy server by network access equipment, and this system also comprises:
A security client module is used for being deployed in request and is linked in the network with described Security Policy Server;
A security strategy service module is located on the network security policy server, is used for disposing in the network that is requested to insert and control execution security strategy;
A network security interaction module is positioned on the network access equipment, is used for isolating or inserting the user terminal with security client module according to the security strategy that described security strategy service module is disposed;
Described user terminal with described security client module is connected to the Security Policy Server with security strategy service module by the network access equipment with network security interaction module; Described user terminal is linked into network area beyond the described isolation network zone after, when finding not meet the incident of network security policy, send notice request to Security Policy Server and handle; Described Security Policy Server is isolated the relative users terminal by network access equipment, and notifies described user terminal to upgrade or reminding subscriber terminal is handled.
In addition, also comprise third party's network service module in this system, be positioned on third party's webserver that this third party's webserver is arranged in the isolation network zone, be used to segregate user terminal that the service of third party's network is provided.
Wherein, the service of described third party's network is virus base upgrading or system mend upgrade service, when user terminal is isolated in the isolation network zone, described security strategy service module notice security client module upgrade and or download up-to-date virus base; Described security client module cooperates with described third party's network service module, finishes the renewal and or the patch upgrading of download of most current virus storehouse and local virus library.
Another aspect of the present invention provides a kind of network security protection system, this system comprises Security Policy Server and network access equipment, described network access equipment carries out authentification of user earlier when described user terminal requests access network, authentification of user is by then being isolated to the isolation network zone, be not linked into the isolation network zone by being rejected, the user terminal that is arranged in described isolation network zone can be connected to the network with network security policy server by network access equipment; Described Security Policy Server has default security strategy, and in order to the checking access user terminal security information whether meet its security strategy requirement, this Security Policy Server will be verified the described network access equipment of result notification, network access equipment issues corresponding access rules according to the checking result, isolates present networks with the access user terminal that will not meet the security strategy requirement; Described user terminal is linked into network area beyond the described isolation network zone after, when finding not meet the incident of network security policy, send notice request to Security Policy Server and handle; Described Security Policy Server is isolated the relative users terminal by network access equipment, and notifies described user terminal to upgrade or reminding subscriber terminal is handled
Wherein, described network access equipment is isolated the described user terminal that does not meet security strategy in a network with third-party server, and this third-party server has the ability of improving the user terminal security information.Wherein, described third-party server provides the renewal or the patch upgrading of download of most current virus storehouse or local virus library.
Because the method among the present invention is the terminal anti-virus for example; terminal security measure and network insertion controls such as patch reparation; network security measures such as access rights control are integrated into the security system of an interlock; by centralized and unified setting to the security strategy of whole network; and user terminal that will access network at first isolated particular network area; carry out safety certification then; have only safety certification by after could really be linked into shielded network; and to the real-time inspection of the user terminal of access network; isolate; repair; management and monitoring; make the user terminal that does not meet the general safety strategy in time be isolated to certain zone and also carry out the correction of network security automatically; upgrading or the like; utilize these effective safety prevention measures; changed in the prior art; new patch issue in the network; new virus must be carried out heavy upgrading manually after upgrading; the situation of downloading; make the Prevention-Security of whole network; management becomes Passive Defence and is initiatively defence; become the single-point defence and be all-around defense; variation is loose management for the centralized policy management, has promoted network to virus; the whole defence capability of security threat such as worm and network attack.
In addition, the system among the present invention is owing to have security strategy service module, safe access control module and security client module, and third party's service module further is provided, and has and be used for disposing and security strategy is carried out in control at network; The user terminal of isolating access network; And mutual and control functions such as security strategy in the client executing network, thereby well had the function of defending against network attacks to the safety certification of user terminal and server.
In another system of the present invention security strategy and access control are combined, the access user terminal that the effective Control Network access device of energy in time will not meet security strategy is isolated the ad hoc network area of isolation with the service of third party's network, thereby make whole network operate in all the time among the default security strategy, also just avoided interference such as network attacks such as internet worms.
Description of drawings
Fig. 1 is the network typical network environment figure that one embodiment of the invention is used.
Fig. 2 is the network attended operation schematic flow sheet of one embodiment of the invention.
Fig. 3 is the operating process schematic diagram after the network of one embodiment of the invention connects.
Embodiment
Essence of the present invention is to provide safety certification for the user terminal of access network, if the safe condition of user terminal does not meet the security strategy requirement that is access in network, then temporarily this user terminal is isolated in isolation network zone with the service of third party's network, and utilize the service of described third party's network to repair for user terminal carries out corresponding safe condition, make it meet the security strategy demand that is access in network, thereby guaranteed that whole network is among the whole unified security protection Policy Status all the time.In addition, can also control user terminal is monitored in last network process all the time, in case the situation of security strategy occurs not meeting, the whole network of control that will in time take safety measures is without prejudice, for example the user terminal that does not meet the peace strategy is in time carried out above-mentioned isolation, repair process, carry out safety certification then again; Perhaps in time remind the user to have been found that virus but do not isolate, perhaps do not isolate and also do not notify the user and just log or the like measure in Security Policy Server, and form security log, so that better carry out the audit and the setting of security strategy.In a word, using method and system provided by the invention, can effectively be network arrangement, enforcement, monitoring general safety strategy, makes safety management of network become convenient, fast, efficient, flexible.
Further elaborate specific embodiments of the invention below in conjunction with accompanying drawing.
Fig. 1 and hereinafter described will carry out simple and briefly describe to being applicable to the computer network environment that realizes various functions of the present invention, though described network environment was used in the distributed computing environment (DCE) when present embodiment was talked about the network equipment, by a communication network and some communication equipments remote network equipment is linked together, can carry out some additional tasks by these remote network equipments, but those of ordinary skills should be realized that the present invention and can realize with many other computer system configurations, comprise microprocessor system, microcomputer, mainframe computer and router, switch etc.The present invention can be applied to wide area network and local area network (LAN), perhaps particularly realizes in the computer at the single or multiple network equipments that use logic rather than physics remote equipment.
With reference to figure 1, be depicted as the typical network environment figure that one embodiment of the invention is used.Wherein, can comprise one or more user terminals in this network environment; this user terminal can be desktop computer, handheld device or notebook etc.; certainly; skilled one skilled in the art will recognize that; user terminal herein also can be that any other possesses the network equipment of network access facility, and the explanation of Fig. 1 is just schematic, thereby does not constitute the restriction to the invention protection range.
In addition, also needing network access equipment in this network environment, in general, is switch or router, with reference to figure 1, network access equipment in the present embodiment has used switch, and promptly the safety interaction switch uses switch here, and in order to give prominence to the notion of safety certification, called after safety interaction switch, just the convenience in order to illustrate can not constitute limiting the scope of the invention; In addition, also comprising Security Policy Server in this network environment, generally is one or more common computer equipment.
In this network environment, Security Policy Server is arranged in the network that the present invention will make great efforts to protect, but user terminal at first physical connection to network access equipment, such as, switch could and then may have access to resources shared in the network then.
Herein, the access way of user terminal is diversified, and this generally depends primarily on the physics and the logical attribute of security control, user terminal and the network access equipment of network.For example, the starting point of the access of existing general networking all is authentication, because the access of network must be controlled, this is the starting point of network security, otherwise the basic security key element of this network does not possess, unless this network does not need to carry out any security control, certainly, those of ordinary skill in the art can know that the existence of network is rarely found like this.
In a specific embodiment of the present invention, will at first need to carry out authentification of user during accessing user terminal to network, this will make security strategy enforcement, control in the network of the present invention become more effective and perfect.But in the present invention, mandatory declaration is that this authentification of user is optional rather than essential.Therefore, it goes without saying that those skilled in the art should be known in the just explanation and schematic of elaboration to user authentication process in the present embodiment, can not constitute limiting the scope of the invention.
Hereinafter will at first summarize the mode and the realization of setting forth authentification of user.General, the access scheme of user terminal can be that 802.1x inserts networking plan, VPN inserts networking plan or Portal inserts networking plan etc.Accordingly, network access equipment can be switch, router or vpn gateway, realizes 802.1x, Portal as previously described, the end points access control of VPN different authentication modes such as (Virtual Private Network, Virtual Private Networks) respectively.Above-mentioned three kinds of access waies respectively have characteristics, can carry out strict isolation to the user terminal that does not meet security strategy as 802.1x authentication mode networking plan, thereby effectively prevent the security threat from network internal; And, can realize, and then prevent the particularly potential safety hazard of bringing during corporate intranet of mobile office employee or extramural performer person's accesses network to the control of the end points of remote access user's terminal for the VPN authentication mode; Use equipment such as router, high-end switch; then can be in conjunction with the Portal authentication mode in the end points access control of convergence-level realization to the network user; thereby the networking plan of Portal has the characteristics of wide adaptability, can use and plurality of application scenes such as enterprise network outlet, branch's inlet, key area protection.Therefore, three kinds of main access schemes respectively have advantage, should dispose respectively and adopt according to different actual conditions, certainly, those of ordinary skill in the art can know, when having the more network equipment and inserting situation in network, uses three kinds of access waies simultaneously and will obtain better effect.
In the network environment of present embodiment, also comprise third-party server, promptly provide the third party to serve the server that carries out the anti-virus service or the patch service of self-regeneration as terminal.In the present invention, this server Be Controlled is arranged in the special networks zone, such as, with the special network segment that the IP address is distinguished and isolated by network access equipment and other network segments, its purpose is other network equipments of being unlikely to have influence on when request access that is access in the network security strategy or the user terminal that has inserted provide such as services such as third party's service upgrade, operating system patch in the network for not meeting.The service that this third-party server provides is according to different actual conditions and different, can provide the virus base upgrade service such as the antivirus server of the network edition, allows the anti-virus client to carry out online upgrading; Patch server then provides the system mend upgrade service, when the system mend of user terminal can not satisfy safety requirements, can carry out patch download and upgrading by patch server.In fact, the those of skill in the art in this area can know that the network service that provides on third party's webserver can be any necessary service that is provided with according to network security policy.
More than be the concrete network of relation environment that an embodiment of the present invention is used, but in this network environment, also need to carry out function corresponding setting and control, these function setting and control illustrate by software program in the present embodiment, generally speaking, program module comprises routine, program, assembly and the data structure etc. of carrying out particular task or realizing particular abstract.In fact, various aspects of the present invention can illustrate that fully those of ordinary skill in the art will recognize that these aspects also can realize in conjunction with other program module according to the application program of moving in network environment.
Specific functional modules in the network environment that hereinafter will specifically set forth present embodiment and be relied on; in general; the division of these modules only has the meaning on the function logic; those of skill in the art can know; the physics realization of these modules is concrete with diversified, and logical partitioning in the present embodiment and explanation can not constitute the restriction to protection range set forth in the present invention.
At first, user terminal deploy in this network environment the security client module, in the present embodiment, the security client module is mounted in the software program on the client terminal system, and this module is that user terminal is carried out authentication, the requisite parts of security state evaluation, and, the main body that the end points security strategy is carried out in the network, below, will summarize and set forth its main modular and function, specifically comprise:
1) user authentication module can cooperate collaborative work with switch, router, vpn gateway, and multiple authentication modes such as above-mentioned 802.1x, Portal, VPN are provided for the access network user, thereby realizes the end points access control of Access Layer, convergence-level and VPN; As previously mentioned, this module is that optionally on behalf of this module, the elaboration in the present embodiment be absolutely necessary.
2) user terminal initial safe status checkout module can be checked the information such as operating system version, system mend that include but not limited to that exist on the user terminal when the user carries out safety certification; The particularly for example interlock of anti-virus client of third party's service client that possesses on realization and the user terminal simultaneously, thereby the security information such as anti-virus software version, virus base version and checking and killing virus of inspection user terminal.
If client need be done the configuration of what detection when having done authentication in Security Policy Server, after authentification of user passes through so, by Security Policy Server what client need be done and detect (such as operating system version, virus base version or the like) notice client, client detects then, carries out safety then and recognizes
These information will at first be passed to the corresponding module of Security Policy Server in the safety certification process of network insertion process, thereby will carry out the judgement and the control of end points access effectively.But the content of this operation is optional, this optional be to realize by the relevant configuration on Security Policy Server, such as on Security Policy Server, the configurable virus base version of whether checking when safety certification can be done this detection if disposed just when safety certification.For another example: configurablely whether when safety certification, carry out " virus scan ", if disposed, so at user terminal when carrying out safety certification, check whether the user has virus, if virus is arranged and do not kill, then can be put into user terminal isolated area and notify its upgrading.
3) security strategy is implemented module, and this module major function comprises and is used for receiving security strategy and the execution of force users terminal that Security Policy Server issues in safety certification by the back.After safety certification is passed through, Security Policy Server with the user after having passed through authentification of user and safety certification on need in the network process content of the security monitoring done to be handed down to client such as monitoring mail, monitoring internal memory, monitoring boot section or the like, security strategy implements that module receives the monitoring that the issues indication of Security Policy Server and the execution of the described security strategy of control on user terminal.
This module also is used for the various security incidents on the monitor user ' terminal simultaneously, include but not limited to detect and whether changed security set on the user terminal, whether find new virus etc., and security incident regularly can be reported to Security Policy Server, being used for carrying out security audit afterwards. a kind of working method that this module need be mentioned especially is, user terminal normally through safety certification and access network after, on continuing in the network process, the client query that security client can regularly be served to the third party, for example, inquire about to the anti-virus client, if see if there is virus or the anti-virus client is closed. this module finds to have virus, and further, virus is not removed by the anti-virus client, then security strategy enforcement module will notify security client to send the notice of this security incident to Security Policy Server, and Security Policy Server will notify access device with user isolation, and the notice security client is upgraded; For the pent situation of anti-virus client, security client can send the notice of this security incident equally to Security Policy Server, and Security Policy Server will announcement apparatus with user isolation, and on user terminal display reminding message, wait for that the user handles, after the user disposes, such as, the user reopens the client of third party's service, if carry out safety certification then again. but and find to have virus removed automatically, security strategy is implemented module and will be notified security client this situation to be offered Security Policy Server and by the Security Policy Server log so.
But the content of this operation is optional, this optional be to realize by the relevant configuration on Security Policy Server, such as on Security Policy Server, configurable whether going up in the network process, monitoring has and does not have virus, if have and do not kill, then can be put into user terminal isolated area and notify its upgrading.In a word, processing mode described herein is flexibly, in general, if find virus and can't remove, can be with its isolation processing, but also can remind the user to have been found that virus do not isolate, perhaps not isolate and also do not notify the user and log in Security Policy Server just, these actions all are configurable.
In the present embodiment network environment also one or more in the Security Policy Server deploy security strategy module, this module is the center of security policy manager and control in the network, has functions such as user management, security policy manager, security state evaluation, safety interaction control and security incident audit concurrently.Specifically can further be divided into lower module:
1) security policy manager module.The a series of strategies that are used for user terminal is carried out access control carry out the centralization setting, this module be the invention provides method must obligato module.In general, the initial setting up of the security strategy on the strategic server and the best interface that is provided by this module by the system manager of modification are configured or revise according to the security strategy that designs in advance.
2) user management module.In the enterprise network, different users, the dissimilar safety inspection and the control that access terminal and may require different stage.Security Policy Server can provide personalized security configuration and network classes of service based on identity for different user, makes things convenient for the keeper network user to be formulated the security strategy of differentiation.Here need to prove, in some embodiments of the invention, also can omit and dispose this module, also can realize basic function of the present invention.Therefore, it goes without saying that, within the scope that such variation also is included in the present invention to be protected.
3) safety interaction control module.Security Policy Server is responsible for assessing the safe condition that security client reports, and utilize this module controls network access equipment, make it the user is put in the isolated area or the user is linked in the network beyond the isolated area, issue the repair mode and the security strategy of user terminal.
4) daily record audit module.Security Policy Server utilizes this module to collect the security incident that is reported by security client, and forms security log, can follow the trail of and the safe condition of the whole network of monitor network provides foundation for the keeper.
It is emphasized that at last the network access equipment in the network environment is the enforcement point of security strategy in the enterprise network in the present embodiment, the effect of playing force users access authentication, isolating defective terminal, provide services on the Internet for validated user.As mentioned above, according to the difference of application scenario, network access equipment can be switch, router or vpn gateway, realizes the end points access control of different authentication modes such as 802.1x, Portal, VPN as previously described respectively.But no matter be which kind of form, in general, the network access equipment among the present invention all has following functional module:
1) authentification of user control module is used for cooperating the identity authentication function of realizing network with the security client module with the corresponding functional part of security strategy module.Certainly, because in the present invention, user authentication process is not essential, and therefore in some embodiments of the invention, described network access equipment may omit this module.
2) user terminal isolation module is used for isolating the user terminal that does not meet security strategy according to the notice of security strategy module.Particularly in user terminal is in normal connection status process with network, if user terminal is found the situation that network security policy occurred not meeting, and can not repair, then need this user terminal forced quarantine, this isolation is mainly to be that action by this module in the network access equipment realizes.Certainly, the mode that it should be noted that isolation also is diversified.A kind of implementation wherein is exactly after network access equipment receives the isolated instructions that Security Policy Server issues, with user terminal with ACL (Access Control List, Access Control List (ACL)) or VLAN (Virtual Local AreaNetwork, VLAN) mode isolate; If the mode with ACL is isolated, then network access equipment will be provided with the ACL strategy for this user, make this user can visit some address and can not visit some address; If isolate in the VLAN mode, then network access equipment will be put into this user among the VLAN of isolated area correspondence.Equally, network access equipment in this module receive after the instruction of removing user isolation also can online releasing to the isolation of user terminal.The mode that it is emphasized that isolation described herein especially includes but not limited to ACL and VLAN mode.Therefore, it goes without saying that those skilled in the art can know that ACL in the present embodiment and the explanation of VLAN are exemplary, can not be construed as limiting protection scope of the present invention.
3) the network service that provides based on identity is provided identity service module.The strategy that network access equipment can issue according to Security Policy Server for the user provides personalized network service, provides different ACL, VLAN etc. as the difference by the user, and certainly, the realization of this module also is optional.
Introduce in detail below in the one embodiment of the invention, the method that is provided concrete operations flow process in actual applications, with reference to figure 2, this flow process is:
1) when user terminal is attempted access network, at first carry out authentification of user by security client, the disabled user will be rejected access network.Certainly, as mentioned above, the user authentication process in the present embodiment can not have yet, and this depends on concrete network safe state setting.But in general; the process that adds authentification of user will make security strategy implement strictness more; fully; simultaneously; the adding of authentification of user; can distinguish different user identity; thereby make Security Policy Server to provide personalized security configuration and network classes of service for different user based on identity; make things convenient for the keeper network user to be formulated the security strategy of differentiation; therefore; be to be that example is set forth in the most preferred embodiment of the present invention according to the system that comprises user authentication module; but this does not show limiting the scope of the invention, in other embodiments of the invention, can omit user authentication module fully; also can realize basic function of the present invention; therefore, it goes without saying that such variation is included within the scope that the present invention protects.And said here authentification of user generally refers to by AAA (Authentication, Authorization, Accounting, authentication, authorize, charge) server the client is authenticated.Herein, the division of aaa server and strategic server only has meaning in logic, and on physical structure, aaa server can be integrated together with strategic server, also can be split into two.Add partition, authentification of user is to be finished by aaa server so, and the safe condition authentication is then cooperated with security client by Security Policy Server and finishes.In addition, the user authen method of mentioning here also can have multiple, and by finishing user side, network access equipment, the common cooperation of Security Policy Server.The authentification of user success thinks that then this user is a validated user.
Whether after 2) authentification of user passes through, Security Policy Server will carry out the safe condition authentication to the user, qualified such as patch release, virus base version etc. by the safe condition of Security Policy Server checking user terminal.
Certainly, need to prove the place one's entire reliance upon setting of security strategy in the network of those information on the user terminal checked herein.For instance, if the inspection of when safety certification, carrying out the anti-virus inspection on the user terminal and whether having carried out patch upgrading, just must on Security Policy Server, for example dispose options such as " checking the antivirus engine version ", " checking the virus base version ", " carrying out virus scan ", " inspection software patch ", if wherein a certain do not dispose just do not carried out this inspection during safety certification so.And if in last network process, carry out some inspection, the setting of need being correlated with equally.
In the safety certification process, security client will be security information of this locality such as patch release, virus base version etc. passes to Security Policy Server, whether Security Policy Server is qualified according to these security information of configuration determination such as version. when carrying out safety certification, security client also links with third party's service client such as anti-virus client, the specific implementation method of interlock can be that third party's service client provides interface to call for security client, relevant information with checking third party service, with third party's service is that anti-virus software is an example, to check the version of anti-virus software in the linkage process, information such as virus base version, and these information are reported Security Policy Server.
This wherein, need to determine some information of the third party's service client software on the user terminal, compare with some information of third party's service on the Security Policy Server that is used to carry out safety certification, for example the two that provides compared, and which version is up-to-date.The mode of this comparison and can obtainable result depend on various concrete set-up modes.For example, can be by the information of the manual indicated release of system manager, be lower than the version information of appointment as the version of the third party's service client on the user terminal, then the safety certification of user terminal can not be passed through; Another kind of implementation is such as using adaptive mode, be meant a time range is set, such as, 5 days, if client is caught the security information of coming for example the version information and the version information on the Security Policy Server of patch or virus base is (concrete so, update date in the version) surpassed 5 days if compare the backward time, just need allow the user be connected to third-party server and go to upgrade or download up-to-date virus base.
It should be noted that information that the third party serves for example version whether be up-to-date, specifically be to serve provider oneself by the third party to guarantee to remain up-to-date version.Such as, anti-virus service, guarantee by the producer oneself of anti-virus software whether the virus base version on the virus server in the network is up-to-date all the time, those skilled in the art should know, the general way of the employing of these third party's services is just to connect the Internet at set intervals at present, reads to obtain up-to-date version and downloads to this locality from network (from the website of this antivirus server producer).
In actual conditions, if third-party server, specifically do not upgrade in time such as patch on antivirus server and/or the patch server or virus base version, the version situation lower than the version of user side on the server also may occur, system can control and make user safety authentication not pass through this moment.
3) after safety certification was passed through, strategic server was handed down to client with security set information.Security set information herein generally comprises but whether is not limited to web page monitored, internal memory, mail, malicious script, registration table etc.
4) the security client module is carried out the necessary security setting to user terminal.
5) if safety certification is not passed through, strategic server notice interlocking equipment is put into isolated area with the user, and at this moment interlocking equipment will be provided with ACL for this user, perhaps this user be drawn among the special VLAN, realize isolating.After the isolation, the user can't visit the network outside the isolated area.Simultaneously, strategic server notice client upgrade or (with) download up-to-date virus base.
6) security client cooperates with third-party server, and (download the back security client and cooperate with the anti-virus client, finish the renewal of virus base), patch upgrading etc. are downloaded in the upgrading such as the most current virus storehouse of finishing third party's service; Download herein is divided into again initiatively and passive dual mode, is provided with in Security Policy Server, and adopts the address of which kind of mode and virus or patch server all to be handed down to security client by Security Policy Server.If manually, need go to handle by user oneself; If automatically, then handle automatically by third party software such as anti-virus, the operating system etc. of client.
7) after third party's service upgrade or repairing are finished, will restart safety certification process, repeating step 2)~6).
After the safety certification of online was passed through, the user terminal after this was among the process of network insertion, at this moment still needs the safe condition of user terminal is monitored in real time, adjusted.The precondition of this real-time monitoring, adjustment is the security monitoring information that configuration needs monitoring on Security Policy Server.The concrete operations flow process of monitoring as shown in Figure 3.
With reference to figure 3, this figure summarizes shows operating process when user terminal finds that safe condition is unusual in the normal access procedure of network when, to judge earlier promptly whether this unusual safe condition is recoverable, if it is recoverable, then directly report to Security Policy Server, form daily record by Security Policy Server, be used for postaudit. but in addition on the one hand, if this unusual safe condition user terminal can't be by oneself, then at first isolate the isolation network zone that exists the third party to serve to this user terminal, and cooperate repairing or the prompting user carry out safe condition manually to repair processing by third-party server, after treating that repairing is finished, carry out the safety certification of system again.
With the antivirus protection is example, its concrete operations flow process is, the user behind access network in the network process, security client can to anti-virus client query user whether infected virus or anti-virus client be closed, infected virus if find on the user terminal, and the client of the service of the third party on the user terminal is not removed this virus automatically, send the notice of this security incident so to Security Policy Server by security client then, and after Security Policy Server receives this notice, will the informing network access device with user isolation, and the notice security client is upgraded; If perhaps discovery anti-virus client is closed and can't normally starts again, after then Security Policy Server is received the notice of security client, same meeting informing user terminal, and user terminal is put into isolated area, while display reminding message on user terminal, require the user to handle, after the user normally starts the anti-virus client, carry out safety certification more again.But another situation is, if find virus is arranged but removed automatically by user terminal, so just by security client this situation offered Security Policy Server and by the Security Policy Server log; If the basic security incident that just do not note abnormalities, such as, do not find virus, then will proceed monitoring, repeat said process.
It should be noted that the aforesaid operations process in the network process is optional; Can on Security Policy Server, dispose and whether do this operation.
Promptly as indicated above, the one skilled in the art can know, under said method provided unified design of the present invention, also can design one and have and can carry out unified security strategy, automatic butt is gone into the network security protection system that the network client is monitored, upgraded and repairs.
In view of the above, another object of the present invention provides a kind of network security protection system that network security is integrated the linked protection function that has, this system comprises at least one network security policy server and at least one network access equipment, user terminal can be connected to the network with network security policy server by network access equipment, and this system also comprises:
A security client module is used for being deployed in request and is linked in the network with described Security Policy Server;
A security strategy service module is located on the network security policy server, is used for disposing in the network that is requested to insert and control execution security strategy;
A network security interaction module is positioned on the network access equipment, is used for isolating or inserting the user terminal with security client module according to the security strategy that described security strategy service module is disposed;
Described user terminal with described security client module is connected to the Security Policy Server with security strategy service module by the network access equipment with network security interaction module.
In addition, this system also comprises third party's network service module, is positioned on third party's webserver, and this third party's webserver is arranged in the isolation network zone, is used to segregate user terminal that the service of third party's network is provided.
Wherein, the service of third party's network is virus base upgrading or system mend upgrade service, when user terminal is isolated in the isolation network zone, described security strategy service module notice security client module upgrade and or download up-to-date virus base; Described security client module cooperates with described third party's network service module, finishes the renewal and or the patch upgrading of download of most current virus storehouse and local virus library.
More general, the present invention also provides another network security protection system, this system comprises Security Policy Server and network access equipment, described Security Policy Server has default security strategy, and in order to the checking access user terminal security information whether meet its security strategy requirement, it is characterized in that, this Security Policy Server will be verified the described network access equipment of result notification, network access equipment issues corresponding access rules according to the checking result, isolates present networks with the access user terminal that will not meet the security strategy requirement.
Wherein, described network access equipment is isolated the described user terminal that does not meet security strategy in a network with third-party server, and this third-party server has the ability of improving the user terminal security information.
Wherein, described third-party server provides the renewal or the patch upgrading of download of most current virus storehouse or local virus library.
Though diagram has also been described the preferred embodiments of the present invention, should be appreciated that can to the present invention carry out various changes and and without prejudice to the spirit and scope of the invention.
Claims (12)
1. network safety protection method, this method is carried out network safety prevention by the network that comprises at least one user terminal, at least one network access equipment and at least one Security Policy Server, it is characterized in that, may further comprise the steps:
(1) carry out authentification of user earlier during the user terminal requests access network, authentification of user is not linked into the isolation network zone by being rejected by then being isolated to the isolation network zone; Server with the service of third party's network also is provided in the described isolation network zone, and for the user terminal that inserts described isolation network zone provides the service of third party's network, the service of described third party's network is virus base upgrading or system mend upgrade service;
(2) user terminal is collected the security information of representing user terminal inherently safe state on the user terminal and is reported described Security Policy Server, whether described Security Policy Server carries out safety certification to user terminal self, qualified with the safe condition of determining described user terminal;
(3) network area beyond the described isolation network zone that described user terminal is linked into by described Security Policy Server informing network access device then of safety certification;
Described user terminal is linked into network area beyond the described isolation network zone after, also comprise:
When (4) user terminal is found not meet the incident of network security policy, send notice request to Security Policy Server and handle;
(5) described Security Policy Server is isolated the relative users terminal by network access equipment, and notifies described user terminal to upgrade or reminding subscriber terminal is handled.
2. the method for claim 1 is characterized in that, also comprises:
Described Security Policy Server informing user terminal is upgraded and/or is downloaded up-to-date virus base;
Described user terminal cooperates with the server of the described third party's of having network service, finishes the renewal and/or the patch upgrading of download of most current virus storehouse and local virus library.
3. the method for claim 1 is characterized in that, described network access equipment can be switch, router or Virtual Private Network gateway.
4. the method for claim 1 is characterized in that,
When described user terminal is found not meet the incident of network security policy, before Security Policy Server sends the notice request processing, also comprise:
(6) after described user terminal inserts the proper network zone, dispose the incident that whether occurs not meeting network security policy on the regular inquiring user terminal according to the security strategy of Security Policy Server;
(7) if find not meet the incident of network security policy but user terminal can be repaired, then directly be reported to Security Policy Server to carry out postaudit, and return step (6);
(8) if finding the incident and the user terminal that do not meet network security policy can't repair, then carry out step (4);
Describedly notify described user terminal to upgrade or after reminding subscriber terminal handles, also comprise:
(9) user terminal upgrading finish or user terminal processes after, return step (2), carry out safety certification again.
5. method as claimed in claim 4 is characterized in that described network access equipment is isolated user terminal in the mode of Access Control List (ACL) or VLAN.
6. the method for claim 1 is characterized in that, the server of the wherein said third party's of having network service is specially third party's webserver.
7. network security protection system, it is characterized in that, this system comprises a network security policy server and at least one network access equipment at least, described network access equipment carries out authentification of user earlier when described user terminal requests access network, authentification of user is by then being isolated to the isolation network zone, be not linked into the isolation network zone by being rejected, the user terminal that is arranged in described isolation network zone can be connected to the network with network security policy server by network access equipment, server with the service of third party's network also is provided in the described isolation network zone, for the user terminal that inserts described isolation network zone provides the service of third party's network, the service of described third party's network is virus base upgrading or system mend upgrade service; This system also comprises:
A security client module is used for being deployed in request and is linked in the network with described Security Policy Server;
A security strategy service module is located on the network security policy server, is used for disposing in the network that is requested to insert and control execution security strategy; User terminal self is carried out safety certification, whether qualified with the safe condition of determining described user terminal;
A network security interaction module is positioned on the network access equipment, is used for isolating or inserting the user terminal with security client module according to the security strategy that described security strategy service module is disposed;
Described user terminal with described security client module is connected to the Security Policy Server with security strategy service module by the network access equipment with network security interaction module; Described user terminal is linked into network area beyond the described isolation network zone after, when finding not meet the incident of network security policy, send notice request to Security Policy Server and handle; Described Security Policy Server is isolated the relative users terminal by network access equipment, and notifies described user terminal to upgrade or reminding subscriber terminal is handled.
8. network security protection system as claimed in claim 7 is characterized in that, when user terminal is isolated in the isolation network zone, described security strategy service module notice security client module is upgraded and/or downloaded up-to-date virus base; Described security client module cooperates with described third party's network service module, finishes the renewal and/or the patch upgrading of download of most current virus storehouse and local virus library.
9. network security protection system, it comprises Security Policy Server and network access equipment, it is characterized in that, described network access equipment carries out authentification of user earlier when described user terminal requests access network, authentification of user is by then being isolated to the isolation network zone, be not linked into the isolation network zone by being rejected, the user terminal that is arranged in described isolation network zone can be connected to the network with network security policy server by network access equipment; Server with the service of third party's network also is provided in the described isolation network zone, and for the user terminal that inserts described isolation network zone provides the service of third party's network, the service of described third party's network is virus base upgrading or system mend upgrade service;
Described Security Policy Server has default security strategy, and in order to user terminal self is carried out safety certification, whether the safe condition with definite described user terminal is qualified, whether the security information of checking access user terminal meets its security strategy requirement, this Security Policy Server will be verified the described network access equipment of result notification, network access equipment issues corresponding access rules according to the checking result, isolates present networks with the access user terminal that will not meet the security strategy requirement;
Described user terminal is linked into network area beyond the described isolation network zone after, when finding not meet the incident of network security policy, send notice request to Security Policy Server and handle; Described Security Policy Server is isolated the relative users terminal by network access equipment, and notifies described user terminal to upgrade or reminding subscriber terminal is handled.
10. as network security protection system as described in the claim 9, it is characterized in that, described network access equipment is isolated the described user terminal that does not meet security strategy in the network of a server with the service of third party's network, and this server with the service of third party's network has the ability of improving the user terminal security information.
11., it is characterized in that the server of the described third party's of having network service provides the most current virus storehouse to download or the renewal or the patch upgrading of local virus library as network security protection system as described in the claim 10.
12., it is characterized in that the server of the described third party's of having network service is specially third party's webserver as network security protection system as described in the claim 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510077344A CN1885788B (en) | 2005-06-22 | 2005-06-22 | Network safety protection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510077344A CN1885788B (en) | 2005-06-22 | 2005-06-22 | Network safety protection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1885788A CN1885788A (en) | 2006-12-27 |
| CN1885788B true CN1885788B (en) | 2010-05-05 |
Family
ID=37583780
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200510077344A Active CN1885788B (en) | 2005-06-22 | 2005-06-22 | Network safety protection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1885788B (en) |
Families Citing this family (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101123493B (en) * | 2007-09-20 | 2011-11-09 | 杭州华三通信技术有限公司 | Secure inspection method and secure policy server for network access control application system |
| CN101616137B (en) * | 2008-06-26 | 2013-02-27 | 中兴通讯股份有限公司 | Safe access method and isolation method of host machine and safe access and isolation system |
| US8954897B2 (en) * | 2008-08-28 | 2015-02-10 | Microsoft Corporation | Protecting a virtual guest machine from attacks by an infected host |
| US8561182B2 (en) * | 2009-01-29 | 2013-10-15 | Microsoft Corporation | Health-based access to network resources |
| CN101883123A (en) * | 2009-05-04 | 2010-11-10 | 华为技术有限公司 | Method, equipment and system for authenticating safe state of telecommunication equipment |
| CN101562541B (en) * | 2009-05-19 | 2012-05-23 | 杭州华三通信技术有限公司 | Unified management method and device thereof |
| CN101599977B (en) * | 2009-07-17 | 2012-04-18 | 杭州华三通信技术有限公司 | Method and system for managing network service |
| CN102104507B (en) * | 2010-12-06 | 2014-06-25 | 杭州华三通信技术有限公司 | Method and equipment for inspecting patch |
| EP2632086B1 (en) | 2011-04-14 | 2016-04-06 | Huawei Technologies Co., Ltd. | Linkage strategy implementation method and module, open platform board and device |
| CN104519026B (en) * | 2013-09-30 | 2018-11-30 | 中国电信股份有限公司 | The secure accessing control method and system of virtual machine |
| CN105516060A (en) * | 2014-09-25 | 2016-04-20 | 宇龙计算机通信科技(深圳)有限公司 | Entrance guard system, terminal, cloud server and safety strategy setting method |
| CN104410617B (en) * | 2014-11-21 | 2018-04-17 | 西安邮电大学 | A kind of information security attacking & defending department framework of cloud platform |
| CN105007283B (en) * | 2015-08-12 | 2018-01-30 | 四川神琥科技有限公司 | A kind of network safety protection method |
| CN106878139B (en) * | 2017-03-17 | 2019-09-13 | 迈普通信技术股份有限公司 | Certification escape method and device based on 802.1X agreement |
| CN108540467A (en) * | 2018-04-02 | 2018-09-14 | 广东能龙教育股份有限公司 | Safety isolation method based on firewall system |
| CN111970224B (en) * | 2019-05-20 | 2023-08-22 | 奇安信科技集团股份有限公司 | Environment state sensing method and device of terminal equipment and computer equipment |
| CN110198317A (en) * | 2019-05-31 | 2019-09-03 | 烽火通信科技股份有限公司 | A kind of portal authentication method and system based on port |
| CN110912896B (en) * | 2019-11-27 | 2022-02-25 | 厦门市美亚柏科信息股份有限公司 | Non-invasive HTTP interface security policy injection method |
| CN112039894B (en) * | 2020-08-31 | 2023-01-10 | 北京天融信网络安全技术有限公司 | Network access control method, device, storage medium and electronic equipment |
| CN112839031A (en) * | 2020-12-24 | 2021-05-25 | 江苏天创科技有限公司 | Industrial control network security protection system and method |
-
2005
- 2005-06-22 CN CN200510077344A patent/CN1885788B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN1885788A (en) | 2006-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1885788B (en) | Network safety protection method and system | |
| US11604861B2 (en) | Systems and methods for providing real time security and access monitoring of a removable media device | |
| US11652829B2 (en) | System and method for providing data and device security between external and host devices | |
| CN109766699B (en) | Operation behavior intercepting method and device, storage medium and electronic device | |
| CN101496025B (en) | System and method for providing network security to mobile devices | |
| CN114978584A (en) | Network security protection safety method and system based on unit cell | |
| US20060164199A1 (en) | Network appliance for securely quarantining a node on a network | |
| US8520512B2 (en) | Network appliance for customizable quarantining of a node on a network | |
| CN104270467B (en) | A kind of virtual machine management-control method for mixed cloud | |
| US20160277431A1 (en) | Security threat detection | |
| EP2132643B1 (en) | System and method for providing data and device security between external and host devices | |
| KR100788256B1 (en) | System for monitoring web server fablication using network and method thereof | |
| CN106027463A (en) | Data transmission method | |
| CN105991647A (en) | Data transmission method | |
| CN106027466A (en) | Identity card cloud authentication system and card reading system | |
| CN106027476A (en) | Identity card cloud authentication system and card reading system | |
| CN115701019A (en) | Access request processing method and device of zero trust network and electronic equipment | |
| CN109818984A (en) | The defence method and device of loophole | |
| TWI556129B (en) | Management server and method and user client device and monitoring method thereof | |
| CN111756707A (en) | Back door safety protection device and method applied to global wide area network | |
| Jabbour et al. | Policy-based enforcement of database security configuration through autonomic capabilities | |
| Nash | An undirected attack against critical infrastructure | |
| JP2004206683A (en) | System management device, method and program, management server system and its control process, insurance method, security program, security management method, computer, and server computer | |
| CN114143077B (en) | Terminal safety protection method and device | |
| Ruha | Cybersecurity of computer networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |