CN201821376U - Global network access control device and network equipment - Google Patents
Global network access control device and network equipment Download PDFInfo
- Publication number
- CN201821376U CN201821376U CN2010200467228U CN201020046722U CN201821376U CN 201821376 U CN201821376 U CN 201821376U CN 2010200467228 U CN2010200467228 U CN 2010200467228U CN 201020046722 U CN201020046722 U CN 201020046722U CN 201821376 U CN201821376 U CN 201821376U
- Authority
- CN
- China
- Prior art keywords
- access control
- port
- message
- control rule
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the utility model provides a global network access control device and network equipment. The device comprises an access control rule setting unit, a binding unit and a filter unit; the access control rule setting unit is used for setting global access control rules; the binding unit is used for linking the access control rules to network equipment needing access control; and the filter unit is used for filtering received messages according to the access control rules. The embodiment of the utility model can realize overall access control over users, and solves the problem that abnormality can occur to a network when ports connected with the users change during port-based control over the users.
Description
Technical field
The utility model embodiment relates to a kind of access to netwoks control device and network equipment of the overall situation, belongs to data communication technology field.
Background technology
Development along with the network communications technology, Ethernet has been widely used in our life, network provides a great convenience for our work, life, especially the application of some large and medium-sized enterprise net greatly facilitates between the enterprises user, the information interaction between internal user and the external user.
But interconnecting of height also produced the safety problem of information resources.In enterprise network, if the Ethernet switch of user access network fails to provide corresponding access control policy, will be utilized by the lawless person easily so, steal confidential data or initiate malicious attack etc.
In order to realize access control to message, at first to dispose some rules and stipulate that what feature packet can pass through, what feature packet cannot pass through, regular list item like this is called access control list item (Access Control Entry, be called for short ACE), the set of many rules is called Access Control List (ACL) (Access Control List is called for short ACL).
Each bar ACE is made up of three parts: rule (Rule), mask (Mask), behavior (Action).Rule is made up of good a series of matching fields of predefined and corresponding field value, these fields comprise source/purpose medium access control (Media Access Control, be called for short MAC) address information, source/purpose Internet Protocol (Internet Protocol, be called for short IP) address information, the protocol type of carrying etc.Mask be with rule in matching field one to one, it has shown in the field that those positions (bit) need to pay close attention to, those positions (bit) can not paid close attention to.And behavior is exactly to satisfy the strategy that the message of control law should be implemented, and has by (Permit) and refusal (Deny) two kinds of behaviors.
ACE1:Permit ip 192.168.1.2 any for example
In ACE1, matching field is a source and destination IP address information, but because the effect of mask, we only pay close attention to source IP address information (for 192.168.1.2), annotate Target IP address information (for any) and be not related to; Behavior is permit.Above-mentioned access control list item shows: the permission source IP address is that any message of 192.168.1.2 passes through.
In view of the needs of network security, the existing Ethernet access switch all provides the multiple network security mechanism.The most general access control that just is based on port, promptly a series of access rule of configuration on each port filters message.But this scheme is fixing at network user's access interface, and under the scene of often change and be not suitable for.In such scene, we may only need allow certain several user of being connected with switch visit and get final product, and which port what do not pay close attention to switch connection user is.At this time based on the access control of port in configuration, just seem very complicated, underaction.When changing, also need time update is carried out in configuration, otherwise cause customer access network unusual as the port that connects switch as certain network user.Even use particular arrangement to realize functional requirement reluctantly,, then can waste hardware resource greatly as on each port, all disposing the access control list item of all user's messages of letting pass.
The utility model content
The purpose of the utility model embodiment provides a kind of access to netwoks control device and network equipment of the overall situation, the user is carried out whole access control, solved when based on port the user being controlled, the port that the user connects causes the unusual problem of network when changing.
To achieve these goals, the utility model embodiment provides a kind of access to netwoks control device of the overall situation, comprises that access control rule is provided with unit, binding unit and filter element;
Described access control rule is provided with the access control rule that the unit is used to be provided with the overall situation;
Described binding unit is used for described access control rule is associated with the network equipment of the control that need conduct interviews;
Described filter element is used for according to described access control rule the message that receives being filtered.
To achieve these goals, the utility model embodiment also provides a kind of network equipment, and the described network equipment comprises said apparatus.
The utility model embodiment is by being provided with the access control rule of the overall situation, and with described access control rule be associated with need conduct interviews control the network equipment, rather than be tied to certain port of the network equipment, can realize the user is carried out whole access control, solved when based on port the user being controlled, the port that the user connects causes the unusual problem of network when changing.
Description of drawings
Fig. 1 is the access to netwoks control device embodiment schematic diagram of a kind of overall situation of the utility model
Fig. 2 is system's topological structure schematic diagram of the utility model embodiment
Fig. 3 is a kind of network equipment embodiment of the utility model schematic diagram
Embodiment
The purpose of the utility model embodiment provides a kind of access to netwoks control device and network equipment of the overall situation, the user is carried out whole access control, solved when based on port the user being controlled, the port that the user connects causes the unusual problem of network when changing.
Below in conjunction with accompanying drawing the utility model is carried out specific description.
Fig. 1 has provided the access to netwoks control device embodiment schematic diagram of a kind of overall situation of the utility model, and described device comprises that access control rule is provided with unit M1, binding unit M2 and filter element M3;
What described access to netwoks control device was concrete can be arranged in the network equipment that carries out access to netwoks control, for example is arranged in switch.
For example among Fig. 2, three mobile personal computer (Personal Computer are arranged, abbreviation PC) PC1, PC2, PC3 are connected to switch A, but which port they are connected respectively to is uncertain, also may in use be moved, the access control apparatus that has comprised the utility model embodiment in the switch A can be to three PC control that conducts interviews by described device.Fa among the figure is fast ethernet port (FastEthernet is called for short Fa).For example Fa0/1 represents that label is 0/1 fast ethernet port.
Described access control rule is provided with the access control rule that unit M1 is used to be provided with the overall situation.
Described access control rule is specifically as follows: judge whether to allow described reception message to pass through according to the message characteristic that receives message, described message characteristic can comprise the source/target MAC (Media Access Control) address of message, and/or source/purpose IP address etc., the message that for example can limit specific MAC Address and IP address user passes through, and the message that promptly limits source MAC and source IP address and be particular address passes through.
For example allow the user of PC1 described in Fig. 2 and two machines of PC2 to pass through, the MAC Address of PC1 and PC2 and IP address are respectively:
PC1(MAC:0000.0000.0001,IP:192.168.1.10)
PC2(MAC:0000.0000.0002,IP:192.168.1.20)
Then access control rule can be set to:
ACL_globle:
List item 1:Permit ip 192.168.1.10any mac 0000.0000.0001any
List item 2:Permit ip 192.168.1.20a ny mac 0000.0000.0002any
List item 3:Deny any any
Above-mentioned rule is provided with an access control list ACL _ globle, this tabulation has comprised three access control list items, list item 1 shows that allowing source IP address is that 192.168.1.10 and source MAC are that the message of 0000.0000.0001 passes through, and promptly allows the user's message of PC1 to pass through; List item 2 shows that allowing source IP address is that 192.168.1.20 and source MAC are that the message of 0000.0000.0002 passes through, and promptly allows the user's message of PC2 to pass through; List item 3 shows forbids that other message passes through.
Described access control rule is provided with section effective time that unit further is used to be provided with described access control rule;
For example only need 8 of every mornings to 6 pm to the network control that conducts interviews, then can realize by following time-range (time range) is set:
Time_1:
periodic?daily?8:00?to?18:00
Time_range is the object of a kind of administrative time of scope, after time-range and Access Control List (ACL) are bound together, the Access Control List (ACL) of binding is only come into force in the time period of time-range definition.
Described access control rule is provided with unit further and is used to be provided with do not need the to conduct interviews port of control and is exception mouthful; For example the port Fa shown in Fig. 2 0/5 is the cochain mouth of switch A, being used to receive the message that the upper strata switch b sends E-Packets with subscriber equipment PC1, the PC2 and the PC3 that are connected to it, the message that is this port transmitting-receiving all is to filter through access control rule to detect, be believable, control there is no need to conduct interviews, therefore can this port be set to exception mouthful, through the message of this port do not conduct interviews control, directly clearance.
For example can be provided with in the following way:
Address?uplink?interface?Fa?0/5
Show that port Fa0/5 is set to the exception mouth.
Described binding unit M2 is used for described access control rule is associated with the network equipment of the control that need conduct interviews; Described binding unit M2 can be provided with unit M1 with access control rule and be connected.
Described binding unit specifically can be used for the pairing access control list item of described access control rule is installed to Ternary Content Addressable Memory (Ternary Content Addressable Memory, be called for short TCAM) in, form the TCAM list item, TCAM is a kind of storage medium of relatively searching fast can realized, the access control list item is the software list item of access control rule correspondence, by the access control list item is installed to TCAM, can form hardware table item: the TCAM list item, the TCAM list item is corresponding one by one with the access control list item, the port match bitmap that an expression scope port is arranged in each TCAM list item, the binding unit can be set to the port that all need conduct interviews and control by described TCAM list item corresponding port coupling bitmap.
Control for example need conduct interviews on all of the port of switch, then the port match bitmap is set to all of the port, for example the switch A among Fig. 2 has 12 ports: Fa 0/1-Fa0/12, the coupling bitmap that then is installed to the access control list item among the TCAM is 0xFFF (binary form is shown 1,111 1,111 1111, and each bit bit represents a port).If there is the special case mouth not need the control that conducts interviews, cochain mouth Fa 0/5 as switch A, then the port match bitmap is set to all of the port except the special case mouth, and the coupling bitmap that promptly then is installed to the access control list item among the TCAM is 0xFEF (binary form is shown 11,111,110 1111).
In access control rule the unit is set and is provided with the effective time of access control rule during section, can be provided with effective time section and access control rule bind together, for example the Time_1 in the above-mentioned example and access control list ACL _ globle are bound together, access control list ACL _ globle is only come into force in the time period of Time_1.At this moment, in the effective time section, system is installed to the access control list item in the Access Control List (ACL) among the TCAM, forms the TCAM list item, is surpassing effective time during section, and corresponding TCAM list item is deleted by system, has realized the access control based on section effective time.
Described filter element M3 is used for according to described access control rule the message that receives being filtered; Described filter element M3 can be provided with unit M1 with access control rule and be connected.
Filter element can judge whether to allow described reception message to pass through according to the message characteristic that receives message, described message characteristic can comprise the source/target MAC (Media Access Control) address of message, and/or source/purpose IP address etc., for example can be according to the access control rule of prior setting, the message that limits specific MAC Address and IP address user passes through, the message that promptly limits source MAC and source IP address and be particular address passes through, be specifically as follows: if the address information of the message that receives meets the address word segment value of appointment in the access control rule, then allow message to pass through, otherwise refusal pass through.
It is in the time of need conducting interviews the port of controlling, according to described access control rule the message that receives to be filtered that described filter element specifically can be used at the port that receives message.
When described binding unit is used for the pairing access control list item of described access control rule is installed to Ternary Content Addressable Memory TCAM, form the TCAM list item, and described TCAM list item corresponding port coupling bitmap is when being set to the port of all controls that need conduct interviews; Described filter element can be used for according to described access control rule the message that receives being filtered when the port that receives message is included in described port match bitmap.
When being provided with the unit, described access control rule is used to be provided with the effective time of described access control rule during section; Described filter element can be used for described effective time section according to described access control rule the message that receives is filtered.
Be used to be provided with do not need the to conduct interviews port of control and be exception mouthful when described access control rule is provided with the unit; Bind the unit this moment when the control law that conducts interviews is related, exception mouthful is not carried out association, so filter element is when carrying out filter operation, directly let pass for the message of receiving at the exception mouth and pass through.
For example when switch receives message, can extract the port information that receives this message, in the port match bitmap of TCAM list item, detect then and have or not this port, if do not have, as exception mouthful, then not to message conduct interviews control, directly clearance.If comprise this port in the port match bitmap, then can extract the source MAC of packet and the rule match in source IP address and the access control list item, determine whether this message can pass through, thereby can carry out the control and management of the overall situation all messages by different port.
With Fig. 2 is that example describes, after the message that PC1 sends is received by switch A, can extract the receiving port information of message, judge that back this port of discovery is in the port match bitmap of TCAM list item, source address information and the rule in the access control list item of extracting message then compare, if meet rule, then carry out the action of control table entry: Permit, promptly allow to transmit.
After the message of PC3 was received by switch A, its port that receives message was also in the port match bitmap of control table entry, but because the rule that the source address information of message can't be mated the access control list item, so message is dropped.
For the message that receives from port Fa0/5, switch A extract to receive behind the port information of message and among the TCAM port match bitmap of list item compare, find this port not in the port match bitmap, then, allow forwarding to the control that do not conduct interviews of this message.
The utility model embodiment also provides a kind of network equipment, and Fig. 3 has provided a kind of network equipment embodiment of the utility model schematic diagram, and the described network equipment comprises said apparatus.The described network equipment can carry out the network equipment of access to netwoks control for switch etc.
The utility model can still can carry out the access to netwoks monitoring to all network users under the unfixed situation of user access port, can also be based on the control that conducts interviews of section effective time, and can will have the port arrangement of specific demand be exception mouthful, to the control that do not conduct interviews of exception mouthful all messages that receive.The utility model scheme implementation is simple, save hardware resource and strengthened stability of network and fail safe.
The beneficial effects of the utility model are embodied as:
1. access control of overall importance
No longer stick to single port when conducting interviews control, but on the whole the network user's authority is controlled.In the general control based on port, flexibility is not enough, when user's access interface changes, must time update dispose, otherwise the user just can not accesses network.And the utility model is Control Network user's visit on the whole, not only guarantees the rights and interests of validated user, has also reduced net administrator's management cost.
2. implement simple, saving resource
The utility model is implemented simple, can only dispose the access control list item that allows the validated user message to pass through in Access Control List (ACL), makes other illegal packet all abandon.Then this Access Control List (ACL) is tied on the network equipment of controlling that to conduct interviews and gets final product.
In access control scheme based on port, if though each port that Access Control List (ACL) is tied to switch also can be realized the access control of the overall situation, hardware resource will be wasted greatly but do like this, and the scheme of the embodiment of the invention can be saved hardware resource effectively on the basis of the access control that realizes the overall situation.
3. particular port makes an exception and handles
In the access control of the overall situation, for this class of cochain mouth have the port of specific demand can be not to the message control that conducts interviews, we only need this port be set to exception and mouthful got final product this moment.As after this wanting again, only need it be set to normal port and get final product the control that conducts interviews of this port.Therefore scheme of the present utility model has good flexibility.
It should be noted that at last: above embodiment only in order to the explanation the technical solution of the utility model, is not intended to limit; Although the utility model is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of each embodiment technical scheme of the utility model.
Claims (8)
1. the access to netwoks control device of an overall situation is characterized in that, comprises that access control rule is provided with unit, binding unit and filter element;
Described access control rule is provided with the access control rule that the unit is used to be provided with the overall situation;
Described binding unit is used for described access control rule is associated with the network equipment of the control that need conduct interviews;
Described filter element is used for according to described access control rule the message that receives being filtered.
2. device according to claim 1 is characterized in that, it is in the time of need conducting interviews the port of controlling, according to described access control rule the message that receives to be filtered that described filter element specifically is used at the port that receives message.
3. device according to claim 1, it is characterized in that, described binding unit specifically is used for the pairing access control list item of described access control rule is installed to Ternary Content Addressable Memory TCAM, form the TCAM list item, and described TCAM list item corresponding port coupling bitmap is set to the port of all controls that need conduct interviews.
4. device according to claim 3 is characterized in that, described filter element specifically is used for according to described access control rule the message that receives being filtered when the port that receives message is included in described port match bitmap.
5. according to the described arbitrary device of claim 1-3, it is characterized in that described access control rule is provided with section effective time that the unit also is used to be provided with described access control rule.
6. device according to claim 5 is characterized in that, described filter element specifically be used for described effective time section according to described access control rule the message that receives is filtered.
7. according to the described arbitrary device of claim 1-3, it is characterized in that described access control rule is provided with the unit and also is used to be provided with do not need the to conduct interviews port of control and is exception mouthful.
8. network equipment that comprises the arbitrary described device of claim 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010200467228U CN201821376U (en) | 2010-01-08 | 2010-01-08 | Global network access control device and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010200467228U CN201821376U (en) | 2010-01-08 | 2010-01-08 | Global network access control device and network equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN201821376U true CN201821376U (en) | 2011-05-04 |
Family
ID=43919318
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010200467228U Expired - Fee Related CN201821376U (en) | 2010-01-08 | 2010-01-08 | Global network access control device and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN201821376U (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102316031A (en) * | 2011-09-05 | 2012-01-11 | 西安和利时系统工程有限公司 | Switching system |
| CN102763371A (en) * | 2012-05-02 | 2012-10-31 | 华为技术有限公司 | Method and apparatus for controlling network device |
| CN106506468A (en) * | 2016-10-31 | 2017-03-15 | 盛科网络(苏州)有限公司 | A kind of method that minimizing ACE entries are consumed |
| CN111030971A (en) * | 2019-03-21 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Distributed access control method and device and storage equipment |
-
2010
- 2010-01-08 CN CN2010200467228U patent/CN201821376U/en not_active Expired - Fee Related
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102316031A (en) * | 2011-09-05 | 2012-01-11 | 西安和利时系统工程有限公司 | Switching system |
| CN102763371A (en) * | 2012-05-02 | 2012-10-31 | 华为技术有限公司 | Method and apparatus for controlling network device |
| CN102763371B (en) * | 2012-05-02 | 2014-12-10 | 华为技术有限公司 | Method and apparatus for controlling network device |
| CN106506468A (en) * | 2016-10-31 | 2017-03-15 | 盛科网络(苏州)有限公司 | A kind of method that minimizing ACE entries are consumed |
| CN111030971A (en) * | 2019-03-21 | 2020-04-17 | 哈尔滨安天科技集团股份有限公司 | Distributed access control method and device and storage equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107395570B (en) | Cloud platform auditing system based on big data management analysis | |
| US8806607B2 (en) | Unauthorized data transfer detection and prevention | |
| CN102724189B (en) | A kind of method and device controlling user URL access | |
| JP4630896B2 (en) | Access control method, access control system, and packet communication apparatus | |
| US20120110633A1 (en) | Apparatus for sharing security information among network domains and method thereof | |
| CN101188557B (en) | Method, client, server and system for managing user network access behavior | |
| US20120005724A1 (en) | Method and system for protecting private enterprise resources in a cloud computing environment | |
| CN103959712B (en) | Time control in large-scale firewall cluster | |
| CN102195991A (en) | Terminal security management and authentication method and system | |
| KR20110126913A (en) | System for remote management of mobile device and control method thereof | |
| CN201821376U (en) | Global network access control device and network equipment | |
| CN202424769U (en) | Intranet safety management system | |
| CN101594360A (en) | LAN system and the method for safeguarding LAN information safety | |
| CN100539499C (en) | A kind of safe star-shape local network computer system | |
| CN103457948A (en) | Industrial control system and safety device thereof | |
| CN202652534U (en) | Mobile terminal safety access platform | |
| CN102790773A (en) | Method for realizing firewall in household gateway | |
| CN108319867A (en) | Dualized file divulgence prevention method and system based on HOOK and window filter | |
| Alsmadi | The integration of access control levels based on SDN | |
| CN202150865U (en) | System suitable for enterprises to carry out network behavior management | |
| CN113067861A (en) | Distributed extensible access control authorization system and method based on block chain | |
| CN101277302A (en) | Apparatus and method for safety centralized protection of distributed network equipment | |
| CN201571068U (en) | Network system and protection management device | |
| CN101714992A (en) | Method, device for expanding and realizing safe data channel and network equipment | |
| Sun | Research on security issues and protection strategy of computer network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| DD01 | Delivery of document by public notice |
Addressee: Zhou Jian Document name: Notification of Passing Examination on Formalities |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110504 Termination date: 20140108 |