CN1889427A - Safety star-shape local network computer system - Google Patents
Safety star-shape local network computer system Download PDFInfo
- Publication number
- CN1889427A CN1889427A CN 200610012093 CN200610012093A CN1889427A CN 1889427 A CN1889427 A CN 1889427A CN 200610012093 CN200610012093 CN 200610012093 CN 200610012093 A CN200610012093 A CN 200610012093A CN 1889427 A CN1889427 A CN 1889427A
- Authority
- CN
- China
- Prior art keywords
- security
- monitoring unit
- level
- server
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000006854 communication Effects 0.000 claims abstract description 22
- 238000004891 communication Methods 0.000 claims abstract description 18
- 238000012544 monitoring process Methods 0.000 claims description 116
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000002955 isolation Methods 0.000 claims description 5
- 238000000034 method Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 5
- 241001269238 Data Species 0.000 claims description 3
- 238000007639 printing Methods 0.000 claims description 3
- 230000001174 ascending effect Effects 0.000 claims description 2
- 230000008676 import Effects 0.000 claims description 2
- 230000006855 networking Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 5
- 230000006870 function Effects 0.000 description 7
- 241000700605 Viruses Species 0.000 description 4
- 230000008859 change Effects 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000003612 virological effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000001066 destructive effect Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This invention relates to a network safe technology characterizing that said system is composed of a resource server, a network applied server, a safe terminal and a monitor unit, in which, the resource server provides resources including operation systems, applied software and data files used by all safe terminals and presents each resource a level, the monitor unit assigns an equal safe level for the terminal using said resource and monitors communication among the safe terminals, the terminals and resource servers and among network applied servers and puts forward related monitor strategy, the safe terminals can communicate with other safe terminals in equal levels only, the levels of them are decided by the levels of resources, when the level of a resource is higher than that of a terminal, the terminal takes the level of the resource as its own, otherwise, it remains the same.
Description
Technical field
The invention belongs to the network security technology field.
Background technology
Along with the continuous development of network technology, computer has developed into the network system form of many present computer interconnections from traditional single computer form.In this evolution, it is serious day by day that the safety problem that computer system faced also becomes, it develops into based on network form from traditional unit form, comprise the illegal invasion of the viral wooden horse supervisor that spreads through the internet, comprise that in addition based on network information attack means such as steals.
The analysis showed that the storage system of safety problem that local network computer system faced and network, computer factors such as (comprising movable storage device) has very confidential relation, the generation of safety problem, propagation and diffusion always be unable to do without these factors.For example, virus, wooden horse supervisor are to move as being stored in the program code on the hard disk; Illegal document copying, malicious act such as divulge a secret normally utilize output equipments such as network, movable storage device even printer that data leak is gone out after obtaining significant data; The propagation of network monitoring, diverse network attack and numerous rogue programs is all inseparable with network.Table 1 has been listed the relation of safety problem and these factors.
| Storage system | Network | Application such as network print apparatus | |
| Standalone version virus | √ | ||
| Data alteration | √ | √ | |
| Denial of Service attack | √ | ||
| Network monitoring | √ | ||
| Man-in-the-middle attack | √ | ||
| The network wooden horse | √ | √ | |
| Security protocol is attacked | √ | ||
| Password and key conjecture | √ | √ | |
| Install software privately | √ | ||
| Visit unauthorized resource | √ | √ | |
| The visit illegal website | √ | ||
| Illegal document copying | √ | √ | |
| Illegal file printout | √ |
The key factor that the common safety problem of table 1 is related
On the other hand, every computer in the local area network (LAN) is an independent entity, has equipment such as complete hard disk, network interface, and each independently finishes the operate as normal of whole local area network system by mutual cooperation between the computer entity.Because LAN system lacks effective centralized and unified control device, therefore the program code and the information of utilizing Network Transmission of the data that are difficult to every platform independent computer is stored from system perspective, operation are carried out centralized and unified supervision, control and are managed, this makes various safety problems emerge in an endless stream, and is difficult to containment.
In the face of numerous safety problems, existing safety system is mostly paid close attention to some concrete safety problem, seldom consider the safety of LAN system, more do not control, so all there is certain limitation in they from the architecture angle pair factor relevant with safety problem from the architecture aspect.Table 2 has been listed the present common security solution and the correlation circumstance of the safety problem that solves with table 3.
| Storage system | Network | Application such as network print apparatus | |
| Anti-virus software | √ | ||
| Fire compartment wall | √ | ||
| VPN | √ | ||
| The PKI safety system | √ | ||
| Encryption equipment | √ | ||
| Intruding detection system | √ | √ | |
| Trusted computer | √ | √ |
The key factor that the common safety approach of table 2 and the safety problem that solves relate to
| Destructive attack | The information taking and carring away | Violation operation | The leakage of information behavior | ||||
| Virus | Other | Wooden horse | The network information is stolen | Illegal online | Other | ||
| Anti-virus software | √ | √ | |||||
| Fire compartment wall | √ | √ | |||||
| VPN | √ | ||||||
| The PKI safety system | √ | ||||||
| Encryption equipment | √ | ||||||
| Intruding detection system | √ | √ | |||||
| Trusted computer | √ | √ | √ | ||||
Common safety approach of table 3 and the safety problem classification that is solved
On the other hand, the safety of local area network (LAN) is again the basis of wide area network safety, promptly at first will guarantee LAN safety before solving the wide area network safety problem.Therefore, this paper has proposed a kind of safe LAN structure from the architecture aspect, local network computer system is protected, thereby laid a solid foundation for wide area network safety.
Summary of the invention
The object of the present invention is to provide a kind of starlan's network computer system that is used for safety that local network computer system is protected automatically.
The invention is characterized in:
This system contains Resource Server, network application server, monitoring unit and security terminal, wherein:
A. Resource Server, be provided with: offer the resource that comprises operating system, application software and data file of all security terminals uses, the access rights of each resource, also claim level of security, the log record when identity identifier of using as the identity of determining the user and access resources;
B. security terminal is provided with monitoring control command input, resource data input, username-password input or USB interface on the local client computer of this terminal;
C. monitoring unit, comprise main monitoring unit and a plurality of sub-monitoring units that link to each other with this main control unit, each sub-monitoring unit links to each other with a plurality of security terminals, certain height or main monitoring unit are connected outer net with one gateway links to each other, on main monitoring unit, be provided with: with the interface of this Resource Server, with the interface of networking network server; Also be provided with the monitoring strategies collection, comprising: the IP address of each client computer, each client computer and other client computer that comprises in the local area network (LAN), the network printer, external network is in the connection authority of other interior computer, the characteristic information of various attack behavior, the level of security that the pressure that each client computer is implemented is in case of necessity restarted power and set up for the sensitive data of storing on this network application server or other Secure Application systems provide, and according to level of security to the classification of these sensitive datas, wherein, described level of security is an ascending positive integer sequence, the more little then level of security of numerical value is high more, simultaneously, give equal level of security to the security terminal that has access to this sensitive data, and, the user can only be not less than with level of security and comprise that other users that equal self carry out communication, be lower than the user of oneself for outer net or level of security, this monitoring unit will carry out physical isolation, avoid sensitive data to leak, the method for supervising that described monitoring unit adopts contains following steps successively.
Step (1). security terminal starts the login with the user,
Step (1.1). program and data file that the user needs from the system start-up of Resource Server down operation by monitoring unit, and start monitoring unit;
Step (1.2). sign and request of data that the user imports username-password or uses USBKEY equipment to carry out authentication to main monitoring unit by the sub-monitoring unit that links to each other with oneself, login successfully;
Step (2). authenticating user identification;
Step (2.1). sub-monitoring unit described in the step (1.2) is transmitted User Identity and request of data by main monitoring unit to this Resource Server;
Step (2.2). after this Resource Server is received the identify label of step (2.1) user transmission, through sending the data response after the authentication or sending error notification to main monitoring unit;
Step (2.3). this main monitoring unit sends the data response or sends error notification to security terminal by corresponding sub-monitoring unit;
Step (3). the communication process between the monitoring unit monitoring security terminal, between security terminal and the Resource Server and the webserver, contain following steps successively.
Step (3.1). monitoring unit is initialized as the level of security of each security terminal minimum, i.e. common grade;
Step (3.2). monitoring unit is differentiated the rank of the security terminal that proposes access request:
If: the security terminal of filing a request equates with the level of security of accessed security terminal, then allows communication; Otherwise, refusal communication;
If: when security terminal during at access resources server or network application server, when the level of security of the accessed resources of wanting is higher than the level of security of this security terminal self, the level of security of described security terminal is composed to wanting the level of security of accessed resources, otherwise the level of security of described security terminal self is constant;
D. network application server, any one or their combination in e-mail server, printing server, data server, the WEB server are provided with the interface that links to each other with described main monitoring unit.
This paper has proposed a kind of safe LAN architecture, and the safety problem of starting with from the architecture aspect and handling and solving local area network (LAN) has higher fail safe and initiative.Compare with other scheme, the major advantage of this scheme is:
■ is from the architecture angle solution safety problem of starting with
Existing safety system is only paid close attention to usually and is solved a certain class safety problem, or the integration system of multiple safety approach, because the various demands for security that they not from the architecture angle solution safety problem of starting with, therefore can not be tackled local area network (LAN) better and are faced.
■ adopts centralized and unified management and control device
The independent characteristics of each computer are the major reasons that this system produces safety problem in the network computer system, and each independent individual in therefore how can centrally controlled network is the core of control safety problem.This scheme has proposed a kind of thinking to the centralized control of LAN system.
■ can carry out dynamic physical to be isolated
In fields such as finance, national defence, often that the computer and network of concerning security matters is isolated, perhaps adopt dedicated network, and use extra computer to insert the Internet, this is complicated operation not only, and cost is very high.By utilizing watch-dog parts and monitoring strategies collection, this scheme can be carried out physical isolation with the computer and the external network of concerning security matters, and the user can adopt same computer to carry out work, helps reducing cost.
Description of drawings
The structure chart of Fig. 1 system of the present invention.
Fig. 2 security terminal starts and login process figure.
Fig. 3 monitoring unit monitoring security terminal and Resource Server communication flow diagram.
Communication flow diagram between Fig. 4 monitoring unit monitoring security terminal, between security terminal and Resource Server, the network application server:
(1) A, B, C, D can intercom mutually, addressable outer net, addressable network application server;
(2) B, C, D can intercom mutually, addressable outer net, addressable network application server, A inaccessible outer net and network application server, can not with B, C, D communication;
(3) B, C can intercom mutually, addressable outer net, addressable network application server, A, D inaccessible outer net and network application server, can not with B, C communication, A can communicate by letter between the D.
Embodiment
Main modular in the system comprises security terminal, Resource Server, monitoring unit, network application server four classes, is described below respectively.
Security terminal is the operating terminal that native system provides for the user, and the user finishes the use work of carrying out on common computer by terminal safe in utilization.Security terminal is different with common computer on operating mechanism, the software program that system requirements moves on security terminal and the data of use are all from the Resource Server in the local area network (LAN), be that native system interior all program files and data file resource all are stored on the Resource Server, and security terminal can only use these resources by network, simultaneously, requirement to user transparent, that is to say it is that the user can't perception to the use of these resources.
The major function of security terminal comprises:
■ is by the access to netwoks Resource Server, for local computer provides transparent resource stores service.System requirements: operating system, application software and the data file that security terminal uses all will be from the Resource Server of system, thereby avoids the user to move unwarranted program, also can take precautions against rogue programs such as viral wooden horse effectively;
■ adopts local computation schema.The program of moving on the security terminal is a kind of local computation schema at security terminal computer local runtime, is not the server computation schema;
■ can accept the control command of watch-dog, realizes forcing restart facility;
The input/output interfaces commonly used such as USB, IEEE1394 of this machine of ■ security terminal can only link to each other with the designated equipment through system authorization, to avoid connecting movable storage device to leak significant data by these interfaces;
The ■ security terminal can be confirmed user's identity by USB KEY equipment or username-password, and user's identify label can be handed to equipment such as Resource Server.
Resource Server provides program and data resource for intrasystem all security terminals, be that native system interior all program files and data file resource all are stored on the Resource Server, and Resource Server also for each conservation of resources access rights, comprise readable, authority such as can write, can carry out, thereby the behavior of resources such as security terminal access program and data is limited and manages.
The major function of Resource Server comprises:
■ provides required resource by network for security terminal;
Each resource that ■ provides self provides the access rights controlling mechanism, to guarantee having only legal users just can have access to corresponding resource;
■ adopts ID authentication mechanism to determine security terminal and user's thereof identity, thus the main body of clear and definite resource access control;
Generally speaking, the security terminal in the system and the data communication of Resource Server will be passed through some monitoring units, and establishing security terminal is A, and Resource Server is B, with the monitoring unit that Resource Server directly links to each other is C, and then the communication process of security terminal and Resource Server as shown in Figure 3.Equipment C sends to monitoring strategies control command (if existence) and the set of relevant monitoring unit according to the response of B, with the monitoring strategies collection of change target monitoring unit, thereby the system that makes realizes the function according to the dynamic Control Network communication behavior of the data communication process between security terminal and the Resource Server.
The data of transmitting on monitoring unit mainly responsible transmission, supervision and the Control Network.Each parts in the system are directly connected on the monitoring unit by network, and transfer of data all in the system are all passed through monitoring unit.
The monitoring unit internal maintenance monitoring strategies collection, monitoring unit is according to monitoring strategies collection control data transmission process.Monitoring strategies mainly comprises:
A) each client computer is connected authority with the network of other computer: wherein, other computer comprises the shared printer of other client computer, the network in the local area network (LAN), external network or the like;
B) characteristic information of various attack behavior: monitoring unit is made corresponding processing to the data of transmission over networks;
C) to the sensitive data storage on the data server or that other Secure Application system provides, mandatory control strategy is provided: promptly the level of security to the data of sensitivity carries out classification, the user who has access to sensitive data is endowed same level of security, and its communication range is limited according to user's level of security, for example, require user A to communicate with other users that level of security is not less than self, be lower than the user of A for outer net or level of security, monitoring unit will carry out physical isolation, thereby avoid these sensitive datas to leak;
D) to the control of certain client computer: system should have the absolute control to client computer, where necessary, can the mandatory requirement client computer restart to capture control.
Monitoring unit passes through monitoring strategies, the function that can be achieved as follows:
■ tackles network attack: because monitoring unit is in the center of star network, monitoring unit can carry out analysis and filter to the data of transfer, to confirm whether to contain in the data rogue program such as viral wooden horse, perhaps other attack.When in a single day monitoring unit contains this type of malicious data in the data of discovery from certain main frame, just can cut off current data exchange process, jeopardize intrasystem other main frames to prevent malicious act.
■ dynamic data transmission controlled function: monitoring unit has the data forwarding function identical with switch, can transmit the network data of transmitting between the computer.Different with switch is, monitoring unit can be controlled network data transmission between the computer according to monitoring strategies.Because the content of monitoring strategies collection is dynamic change, so the transmission of monitoring unit control also is dynamic.And monitoring unit is to do control on the link of center, so this quarantine measures are security means physically, is fully reliably.
■ prevents because the information that network monitoring causes is stolen: owing to client computer directly links to each other with monitoring unit, so monitoring unit can avoid the assailant to adopt the network monitoring mode illegally to obtain other people communication data.
■ prevents that sensitive data from leaking: monitoring unit can monitor the service agreement that the data server provides, when certain user capture on the data server behind the vital document, can limit the network access authority of main frame that this user uses according to monitoring strategies, for example forbid all data communication of this subscriber's main station and other unauthorized node, till this main frame restarts.Because client computer does not have local storage, so the secret papers that this obtained can't leak to other undelegated user.In addition, if gateway also links to each other with monitoring unit, then monitoring unit can leak externally network to the connection authority of outer net to avoid sensitive data from restricting host on the physical link.Because it is these control measure are also carried out on physical link according to monitoring strategies by monitoring unit, therefore more safe and reliable.
■ monitoring strategies management service: the keeper can formulate the monitoring strategies that monitoring unit uses according to environment for use and demand for security.In addition, monitoring unit provides safe monitoring strategies management service, can accept the control command from other module in the system, dynamically changes the monitoring strategies of self, to realize the dynamic control to the network data transmission path; In a word, in this system, each computer only directly links to each other with monitoring unit, data communication all between them all will be passed through monitoring unit, monitoring unit can be analyzed, filter, control and audit the network data of passing through according to the monitoring strategies of setting, thereby stop the diverse network attack and prevent that confidential information from leaking to unauthorized user by network, promptly solved effectively because the safety problem that network interconnection causes in local area network (LAN).
Usually there is certain webserver in the local area network (LAN), as e-mail server, printing server, WEB server, data server etc.In native system, monitoring unit can dynamically be controlled the network annexation of security terminal and these server apparatus according to the monitoring strategies collection, attacks, avoids the purpose of divulging a secret by network thereby reach isolation safe.
Security terminal starts with login process figure sees Fig. 2.
As previously mentioned, the monitoring capacity of monitoring unit is by monitoring strategies collection decision, and the normally dynamic mapping of monitoring strategies collection, so the control range of monitoring unit also is dynamic change.
Sensitivity according to storage data on the Resource Server is obstructed, security level attributes that system has been various resources definitions, and in addition, system is that every security terminal has also been safeguarded one in the changeable security level attributes of run duration, and regulation:
(1) level of security of security terminal is initialized as minimum (being common grade);
(2) security terminal access security rank be less than or equal to self the level other resource do not influence himself level of security;
(3) after the security terminal access security rank resource higher than self rank, its level of security is promoted to the level of security of resource;
(4) security terminal can only equal self other other terminal communication of level with level of security;
(5) if local area network (LAN) is identical with external network, but the case of external network is a special security terminal, and its level of security is to fix, and can not change;
Be the dynamic monitoring function of explanation monitoring unit, this paper is that example describes with a simple environment for use.
If have monitoring unit some in the intrasystem monitoring unit set, security terminal is respectively A, B, C, D.Stipulate that intrasystem level of security is divided into two-stage (0 or 1), 0 expression common grade, the responsive rank of 1 expression, and the level of security after requiring client computer to start is 0.If the resource on the Resource Server is made up of 3 files, its filename and corresponding level of security such as table 4.
| Filename | Level of security |
| file1 | 0 |
| file2 | 0 |
| | 1 |
Resource and level of security tabulation on table 4 Resource Server
After as above setting, the state of supposing the system is divided into 3 stages:
The level of security of ■ phase I: A, B, C, D is 0, as Fig. 4 (1)
Can intercom mutually between each terminal, can visit external network, the addressable network application server.
The level of security of ■ second stage: A is 1, and the level of security of B, C, D is 0, as Fig. 4 (2)
If it is 1 file f ile3 that A has visited level of security, then to promote be 1 to the level of security of self;
Can intercom mutually between B, C, the D, can visit external network, the addressable network application server;
A can not communicate by letter with B, C, D, can not ask external network, the inaccessible network application server.
The level of security of ■ phase III: A, D is 1, and the level of security of B, C is 0, as Fig. 4 (3)
If it is 1 file f ile3 that D has also visited level of security, then to promote be 1 to the level of security of self;
Can intercom mutually between B, the C, can visit external network, the addressable network application server;
Can intercom mutually between A, the D, A, D can not communicate by letter with B, C, can not ask external network, the inaccessible network application server.
According to the various safety problems that the background technology trifle is listed, listed the strick precaution situation of the LAN architecture of the safety that this paper proposes below to them.
| Storage system | Network | Application such as network print apparatus | |
| The LAN architecture of safety | √ | √ | √ |
| Destructive attack | The information taking and carring away | Violation operation | The leakage of information behavior | ||||
| Virus | Other | Wooden horse | The network information is stolen | Illegal online | Other | ||
| The LAN architecture of safety | √ | √ | √ | √ | √ | √ | √ |
By form as seen, the Security Architecture that this paper proposes carries out safeguard protection to local area network (LAN) on architecture, defendd multiple attack means effectively, has improved the fail safe of LAN system.
Claims (1)
1. the star-shape local network computer system of a safety is characterized in that, this system contains Resource Server, network application server, monitoring unit and security terminal, wherein:
A. Resource Server, be provided with: offer the resource that comprises operating system, application software and data file of all security terminals uses, the access rights of each resource, also claim level of security, the log record when identity identifier of using as the identity of determining the user and access resources;
B. security terminal is provided with monitoring control command input, resource data input, username-password input or USB interface on the local client computer of this terminal;
C. monitoring unit, comprise main monitoring unit and a plurality of sub-monitoring units that link to each other with this main control unit, each sub-monitoring unit links to each other with a plurality of security terminals, certain height or main monitoring unit are connected outer net with one gateway links to each other, on main monitoring unit, be provided with: with the interface of this Resource Server, with the interface of networking network server; Also be provided with the monitoring strategies collection, comprising: the IP address of each client computer, each client computer and other client computer that comprises in the local area network (LAN), the network printer, external network is in the connection authority of other interior computer, the characteristic information of various attack behavior, the level of security that the pressure that each client computer is implemented is in case of necessity restarted power and set up for the sensitive data of storing on this network application server or other Secure Application systems provide, and according to level of security to the classification of these sensitive datas, wherein, described level of security is an ascending positive integer sequence, the more little then level of security of numerical value is high more, simultaneously, give equal level of security to the security terminal that has access to this sensitive data, and, the user can only be not less than with level of security and comprise that other users that equal self carry out communication, be lower than the user of oneself for outer net or level of security, this monitoring unit will carry out physical isolation, avoid sensitive data to leak, the method for supervising that described monitoring unit adopts contains following steps successively.
Step (1). security terminal starts the login with the user,
Step (1.1). program and data file that the user needs from the system start-up of Resource Server down operation by monitoring unit, and start monitoring unit;
Step (1.2). sign and request of data that the user imports username-password or uses USBKEY equipment to carry out authentication to main monitoring unit by the sub-monitoring unit that links to each other with oneself, login successfully;
Step (2). authenticating user identification;
Step (2.1). sub-monitoring unit described in the step (1.2) is transmitted User Identity and request of data by main monitoring unit to this Resource Server;
Step (2.2). after this Resource Server is received the identify label of step (2.1) user transmission, through sending the data response after the authentication or sending error notification to main monitoring unit;
Step (2.3). this main monitoring unit sends the data response or sends error notification to security terminal by corresponding sub-monitoring unit:
Step (3). the communication process between the monitoring unit monitoring security terminal, between security terminal and the Resource Server and the webserver, contain following steps successively.
Step (3.1). monitoring unit is initialized as the level of security of each security terminal minimum, i.e. common grade;
Step (3.2). monitoring unit is differentiated the rank of the security terminal that proposes access request:
If: the security terminal of filing a request equates with the level of security of accessed security terminal, then allows communication; Otherwise, refusal communication;
If: when security terminal during at access resources server or network application server, when the level of security of the accessed resources of wanting is higher than the level of security of this security terminal self, the level of security of described security terminal is composed to wanting the level of security of accessed resources, otherwise the level of security of described security terminal self is constant;
D. network application server, any one or their combination in e-mail server, printing server, data server, the WEB server are provided with the interface that links to each other with described main monitoring unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100120935A CN100539499C (en) | 2006-06-02 | 2006-06-02 | A kind of safe star-shape local network computer system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100120935A CN100539499C (en) | 2006-06-02 | 2006-06-02 | A kind of safe star-shape local network computer system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1889427A true CN1889427A (en) | 2007-01-03 |
| CN100539499C CN100539499C (en) | 2009-09-09 |
Family
ID=37578688
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100120935A Expired - Fee Related CN100539499C (en) | 2006-06-02 | 2006-06-02 | A kind of safe star-shape local network computer system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100539499C (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009026840A1 (en) * | 2007-08-24 | 2009-03-05 | Beijing Chaoyang Info-Net Center | A system for sorting and classifying users of an image information management system |
| CN101247290B (en) * | 2008-03-14 | 2010-12-08 | 中兴通讯股份有限公司 | Ethernet switchboard high temperature ageing real-time monitoring method and system |
| CN101296468B (en) * | 2008-06-02 | 2011-05-04 | 深圳国人通信有限公司 | Communication method of main monitoring unit and each module in radio communication system |
| CN102185867A (en) * | 2011-05-19 | 2011-09-14 | 苏州九州安华信息安全技术有限公司 | Method for realizing network security and star network |
| CN102497382A (en) * | 2011-12-26 | 2012-06-13 | 苏州风采信息技术有限公司 | Method of security confidentiality strategy |
| CN101594360B (en) * | 2009-07-07 | 2012-07-25 | 清华大学 | Local area network system and method for maintaining safety thereof |
| CN103377337A (en) * | 2012-04-27 | 2013-10-30 | 通用电气航空系统有限公司 | Security system and method for controlling interactions between components of a computer system |
| CN110166473A (en) * | 2019-05-29 | 2019-08-23 | 中国移动通信集团江苏有限公司 | Network data transmission detection method, device, equipment and medium |
| CN112714035A (en) * | 2019-10-25 | 2021-04-27 | 中兴通讯股份有限公司 | Monitoring method and system |
| CN115459943A (en) * | 2022-07-28 | 2022-12-09 | 新华三信息安全技术有限公司 | Resource access method and device |
-
2006
- 2006-06-02 CN CNB2006100120935A patent/CN100539499C/en not_active Expired - Fee Related
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009026840A1 (en) * | 2007-08-24 | 2009-03-05 | Beijing Chaoyang Info-Net Center | A system for sorting and classifying users of an image information management system |
| US8140532B2 (en) | 2007-08-24 | 2012-03-20 | Beijing Chaoy Ang Info-Net Center | System for sorting and classifying users of an image information management system |
| CN101247290B (en) * | 2008-03-14 | 2010-12-08 | 中兴通讯股份有限公司 | Ethernet switchboard high temperature ageing real-time monitoring method and system |
| CN101296468B (en) * | 2008-06-02 | 2011-05-04 | 深圳国人通信有限公司 | Communication method of main monitoring unit and each module in radio communication system |
| CN101594360B (en) * | 2009-07-07 | 2012-07-25 | 清华大学 | Local area network system and method for maintaining safety thereof |
| CN102185867A (en) * | 2011-05-19 | 2011-09-14 | 苏州九州安华信息安全技术有限公司 | Method for realizing network security and star network |
| CN102497382A (en) * | 2011-12-26 | 2012-06-13 | 苏州风采信息技术有限公司 | Method of security confidentiality strategy |
| CN103377337A (en) * | 2012-04-27 | 2013-10-30 | 通用电气航空系统有限公司 | Security system and method for controlling interactions between components of a computer system |
| CN110166473A (en) * | 2019-05-29 | 2019-08-23 | 中国移动通信集团江苏有限公司 | Network data transmission detection method, device, equipment and medium |
| CN112714035A (en) * | 2019-10-25 | 2021-04-27 | 中兴通讯股份有限公司 | Monitoring method and system |
| CN115459943A (en) * | 2022-07-28 | 2022-12-09 | 新华三信息安全技术有限公司 | Resource access method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100539499C (en) | 2009-09-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1889427A (en) | Safety star-shape local network computer system | |
| US10212134B2 (en) | Centralized management and enforcement of online privacy policies | |
| US8370939B2 (en) | Protection against malware on web resources | |
| US8001610B1 (en) | Network defense system utilizing endpoint health indicators and user identity | |
| US8789202B2 (en) | Systems and methods for providing real time access monitoring of a removable media device | |
| US20130254870A1 (en) | Detecting and Thwarting Browser-Based Network Intrusion Attacks By a Virtual Machine Monitoring System, Apparatus, and Method | |
| EP2387746B1 (en) | Methods and systems for securing and protecting repositories and directories | |
| AU2015296791B2 (en) | Method and system for providing a virtual asset perimeter | |
| CN1863211A (en) | Content filtering system and method thereof | |
| JP2006252256A (en) | Network management system, method and program | |
| AU2008325044A1 (en) | System and method for providing data and device security between external and host devices | |
| Mudgerikar et al. | Edge-based intrusion detection for IoT devices | |
| CN109302397B (en) | Network security management method, platform and computer readable storage medium | |
| TW202137735A (en) | Programmable switching device for network infrastructures | |
| Xue et al. | Design and implementation of a malware detection system based on network behavior | |
| CN1925402A (en) | iSCSI identifying method, its initiating equipment and target equipment and identifying method | |
| US20110289548A1 (en) | Guard Computer and a System for Connecting an External Device to a Physical Computer Network | |
| Kang et al. | A strengthening plan for enterprise information security based on cloud computing | |
| CN100428731C (en) | Method for preventing star-shape network from invading and attacking based on intelligent exchanger | |
| CN1773411A (en) | Computer I/O port control program | |
| WO2012163587A1 (en) | Distributed access control across the network firewalls | |
| CN201707676U (en) | Virtualized enterprise information management system | |
| RU2571725C2 (en) | System and method of controlling parameters of applications on computer user devices | |
| Kolisnyk et al. | Analysis and Systematization of Vulnerabilities of Drone Subsystems | |
| CN1842085A (en) | Access control service and control server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090909 Termination date: 20110602 |