TWI396144B - System and method for controlling network usage rights in attendance state - Google Patents

System and method for controlling network usage rights in attendance state Download PDF

Info

Publication number
TWI396144B
TWI396144B TW98100802A TW98100802A TWI396144B TW I396144 B TWI396144 B TW I396144B TW 98100802 A TW98100802 A TW 98100802A TW 98100802 A TW98100802 A TW 98100802A TW I396144 B TWI396144 B TW I396144B
Authority
TW
Taiwan
Prior art keywords
attendance
network
employee
computer
controlling
Prior art date
Application number
TW98100802A
Other languages
Chinese (zh)
Other versions
TW201027462A (en
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW98100802A priority Critical patent/TWI396144B/en
Publication of TW201027462A publication Critical patent/TW201027462A/en
Application granted granted Critical
Publication of TWI396144B publication Critical patent/TWI396144B/en

Links

Landscapes

  • Small-Scale Networks (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Description

以出勤狀態管制網路使用權限之系統及方法System and method for controlling network usage rights by attendance status

本發明之以出勤狀態管制網路使用權限之系統及方法,係關於管制網路使用權限之系統及方法,特別是指以員工出勤的紀錄來開啟網際網路使用權限的方法,利用網路權限控制器發送阻斷電腦連結的位址解譯協定(Address Resolution Protocol,以下簡稱:ARP)封包,讓該電腦無法連結網際網路,以確保網際網路使用的安全權限。The system and method for controlling the use rights of the network in the attendance state are the system and method for controlling the use rights of the network, in particular, the method for opening the use permission of the Internet by using the record of employee attendance, and utilizing the network authority The controller sends an Address Resolution Protocol (ARP) packet that blocks the computer connection, so that the computer cannot connect to the Internet to ensure the security rights of the Internet.

習知網際網路使用權限管制,大多是在公司內部架設代理伺服器(porxy server),員工需要透過該proxy server才能連結網際網路,proxy server會詢問該員工的帳號密碼以做為認證,未通過認證將無法連結網際網路,但此種方式有其缺失,第一,個人帳號密碼容易被盜用或破解;第二,proxy server只針對特定的網路連接埠(例如port 80)做管制,亦即只管制使用超文本傳輸協定(HyperText Transfer Protocol,HTTP)的封包,其他網路連接埠的管制就得依靠防火牆。The familiar Internet access control is mostly used to set up a proxy server (porxy server) inside the company. The employee needs to connect to the Internet through the proxy server. The proxy server will ask the employee's account password for authentication. Authentication will not be able to connect to the Internet, but this method has its shortcomings. First, the personal account password is easily stolen or cracked. Second, the proxy server only controls the specific network connection (such as port 80). That is, only the packets using the HyperText Transfer Protocol (HTTP) are controlled, and the control of other network ports depends on the firewall.

由此可見,上述習用方式仍有諸多缺失,實非一良善之設計,而亟待加以改良。It can be seen that there are still many shortcomings in the above-mentioned methods of use, which is not a good design, but needs to be improved.

本案發明人鑑於上述習用方式所衍生的各項缺點,乃亟思加以改良創新,並經多年苦心孤詣潛心研究後,終於成功研發完成本件以出勤狀態管制網路使用權限之裝置及其方法。In view of the shortcomings derived from the above-mentioned conventional methods, the inventor of the present invention has improved and innovated, and after years of painstaking research, he finally succeeded in researching and developing the device and method for controlling the use of the network in the attendance state.

本發明之目的即在於提供一種以出勤狀態管制網路使用權限之系統及方法,係為改善目前以proxy管制使用者連上網際網路的方法,其帳號密碼容易被盜用的缺失。The object of the present invention is to provide a system and method for controlling network usage rights in an attendance state, which is to improve the current method of using a proxy to control a user's connection to the Internet, and the account password is easily stolen.

本發明之另一目的在於改善習知技術只針對特定的網路連接埠做管制的缺點,在不須新增網路交換設備下,可以有效阻斷無權使用網際網路的電腦設備其網路的使用權,未經許可電腦無論透過任何連接埠皆無法連結網際網路。Another object of the present invention is to improve the shortcomings of the prior art that only the specific network connection is controlled, and can effectively block the network of the computer device that does not have the right to use the Internet without adding a new network switching device. The right to use the road, the unlicensed computer can not connect to the Internet through any connection.

達成上述發明目的之以出勤狀態管制網路使用權限之系統及方法,係利用員工出勤的記錄,做為是否開放其所屬電腦設備聯結網際網路權限的依據,網路權限管制伺服器定時執行位址解譯協定查詢(ARP request),以獲得目前於此區域網路內所有開機的電腦之IP及MAC列表;若發現為無權使用網際網路的電腦設備,網路權限管制伺服器將連續發送位址解譯協定回應(ARP reply),將目標電腦位址解譯協定表格(ARP table)中的閘道器(gateway)的實體位址(physical address)改掉,造成目標電腦無法上網;反之,若該電腦屬於合法可上網的電腦,網路權限管制伺服器將發送一次ARP reply,將目標電腦ARP table中的gateway的實體位址改回正確值,以開放其連結網際網路的權限。The system and method for achieving the use rights of the attendance state control network for achieving the above object is to use the record of the employee's attendance as the basis for opening or not the network device authority of the computer device to which it belongs, and the network authority control server timing execution bit. ARP request to obtain a list of IP and MAC addresses of all computers currently booted in the local area network; if it is found to be a computer device that does not have access to the Internet, the network rights control server will continue Sending an address resolution agreement (ARP reply), the physical address of the gateway in the target computer address interpretation agreement table (ARP table) is changed, causing the target computer to be unable to access the Internet; On the other hand, if the computer is a legitimate Internet-accessible computer, the network authority control server will send an ARP reply to change the physical address of the gateway in the target computer ARP table back to the correct value to open its connection to the Internet. .

請參閱圖一所示,為本發明以出勤狀態管制網路使用權限之系統及方法之系統架構圖,本發明使用出勤讀卡機1讀取使用者的IC卡,取得員工的識別證號,透過出勤資料伺服器2將員工的上下班時間記錄下來,網路控制伺服器3將針對出勤資料,決定是否提供員工的電腦存取網際網路 的權限。網路權限控制伺服器3內含員工所登記的電腦IP與MAC對應資料,結合出勤資料伺服器2所記錄的上下班簽到時間,可產生一使用者出勤資料庫。網路權限控制伺服器3會定期發送ARP request,找出目前該公司網段下所有開機的電腦,並且與使用者出勤資料庫的IP及MAC互相比對,若發現未上班員工其IP或MAC出現在ARP掃描列表中,網路權限控制伺服器3將會發送ARP封包,更改目標電腦的ARP的gateway的實體位址(physical address),使該台電腦找不到正確的Gateway MAC而無法上網,達到封鎖該台電腦的目的。Please refer to FIG. 1 , which is a system architecture diagram of a system and method for controlling network usage rights in an attendance state according to the present invention. The present invention uses an attendance card reader 1 to read a user's IC card and obtain an employee identification number. The employee's commute time is recorded through the attendance data server 2, and the network control server 3 will determine whether to provide the employee's computer access to the internet for the attendance data. permission. The network authority control server 3 includes the IP and MAC corresponding data registered by the employee, and combined with the log-on time recorded by the attendance data server 2, a user attendance database can be generated. The network access control server 3 will periodically send an ARP request to find out all the computers that are currently powered on under the company's network segment, and compare them with the IP and MAC of the user attendance database. If the IP or MAC of the employee is not found, Appears in the ARP scan list, the network access control server 3 will send the ARP packet, change the physical address of the ARP gateway of the target computer, so that the computer can not find the correct Gateway MAC and can not access the Internet. To achieve the purpose of blocking the computer.

圖二為該以出勤狀態管制網路使用權限之裝置及其方法之流程圖,步驟101為員工以IC卡執行上下班簽到退;接著步驟102由出勤資料伺服器主動收集員工的上下班時間紀錄;步驟103由網路權限管制伺服器定時執行ARP request,可獲得目前於此區域網路內所有開機的電腦之IP及MAC列表;接著步驟104網路權限管制伺服器針對使用者出勤資料庫與目前所有開機的電腦比對,若發現未出勤者的電腦處於開機狀態,則進入步驟105,網路權限管制伺服器將連續發送ARP reply,將目標電腦ARP table中的gateway的實體位址改掉,造成目標電腦無法上網,反之,則進入步驟106,將目標電腦ARP table中的gateway的實體位址改回正確值,使其可上網。FIG. 2 is a flow chart of the device and method for controlling the use of the network by the attendance state, and step 101 is for the employee to perform the check-in and check-out with the IC card; then, step 102, the attendance data server actively collects the employee's commute time record. Step 103: The network authority control server periodically executes the ARP request, and obtains the IP and MAC list of all the computers currently booted in the local area network; then, step 104, the network authority control server targets the user attendance database and At present, all the computers that are turned on are compared. If it is found that the computer of the non-attendor is turned on, the process proceeds to step 105, and the network authority control server will continuously send the ARP reply to change the physical address of the gateway in the target computer ARP table. The target computer cannot access the Internet. Otherwise, proceed to step 106 to change the physical address of the gateway in the target computer ARP table back to the correct value to make it available for Internet access.

本發明所提供之以出勤狀態管制網路使用權限之系統及方法,與其他習用技術相互比較時,更具備下列優點:The system and method for controlling the use of the network by the attendance state control system provided by the present invention have the following advantages when compared with other conventional technologies:

1.本發明可以結合出勤紀錄作為是否允許該員工電腦連上網網際網路的媒介,避免以往透過帳號密碼管制所產生的密碼盜用、借用等問題。1. The present invention can combine the attendance record as a medium for allowing the employee's computer to connect to the Internet, and avoid the problems of password theft and borrowing caused by the password control of the account in the past.

2.本發明透過ARP table的更新,更改非授權電腦的gateway實體位址, 可完全禁止用戶透過任何port連上網際網路。2. The present invention changes the gateway entity address of an unauthorized computer through the update of the ARP table. Users can be completely banned from connecting to the Internet through any port.

2.本發明可適用於各企業或公司環境內的區域網路,ARP功能為網際網路協定規範的基本功能,故無更換公司內的網路交換設備4架構,僅需加裝管制伺服器即可輕鬆達到管制上網權限控管的效果,其經濟效益非常明顯。2. The present invention can be applied to a regional network in an enterprise or company environment. The ARP function is a basic function of the Internet Protocol specification, so there is no replacement of the network switching device 4 architecture in the company, and only a control server needs to be installed. It is easy to achieve the effect of controlling the control of Internet access, and its economic benefits are very obvious.

上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。The detailed description of the present invention is intended to be illustrative of a preferred embodiment of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請 貴局核准本件發明專利申請案,以勵發明,至感德便。To sum up, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned functions that are not in the traditional methods of the past. It has fully complied with the statutory invention patent requirements of novelty and progressiveness, and applied for it according to law. Approved this invention patent application, in order to invent invention, to the sense of virtue.

1‧‧‧出勤讀卡機1‧‧‧Attendance card reader

2‧‧‧出勤資料伺服器2‧‧‧Attendance data server

3‧‧‧網路權限控制伺服器3‧‧‧Network Authority Control Server

4‧‧‧網路交換設備(switch)4‧‧‧Network switching equipment (switch)

5‧‧‧個人電腦5‧‧‧PC

6‧‧‧網際網路6‧‧‧Internet

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:圖一為本發明以出勤狀態管制網路使用權限之系統及方法之系統架構圖;以及圖二為該以出勤狀態管制網路使用權限之系統及方法之流程圖;The detailed description of the present invention and the accompanying drawings will be further understood, and the technical contents of the present invention and the functions thereof can be further understood. FIG. 1 is a system and method for controlling the use rights of the network in the attendance state according to the present invention. System architecture diagram; and Figure 2 is a flow chart of the system and method for controlling network usage rights by attendance status;

1‧‧‧出勤讀卡機1‧‧‧Attendance card reader

2‧‧‧出勤資料伺服器2‧‧‧Attendance data server

3‧‧‧網路權限控制伺服器3‧‧‧Network Authority Control Server

4‧‧‧網路交換設備(switch)4‧‧‧Network switching equipment (switch)

5‧‧‧個人電腦5‧‧‧PC

6‧‧‧網際網路6‧‧‧Internet

Claims (9)

一種以出勤狀態管制網路使用權限之系統,其組成包括:a.出勤讀卡機,為員工上班簽到及下班簽退的工具;b.出勤資料伺服器,連結出勤讀卡機,並收集員工的上下班時間;c.網路權限控制伺服器,紀錄員工基本資料及其所屬電腦之IP與MAC對應,並且具備掃描區域網路電腦及發送位址解譯協定回應(ARP reply)阻斷目標電腦連上網際網路的功能;以及d.網路交換設備(Switch),為一般符合TCP/IP規範之聯網設備。 A system for controlling the use of a network by attendance status, comprising: a. an attendance card reader, a tool for an employee to sign in and get off work; b. an attendance data server, an attendance card reader, and an employee The commute time; c. The network authority control server records the basic data of the employee and the IP and MAC of the computer to which it belongs, and has the scanning area network computer and the address resolution interpretation response (ARP reply) blocking target. The function of connecting the computer to the Internet; and d. The network switching device (Switch) is a networked device that generally conforms to the TCP/IP specification. 如申請專利範圍第1項所述之以出勤狀態管制網路使用權限之系統,其中該出勤讀卡機為可讀取員工卡片資料,並紀錄上下班時間之裝置。 The system for controlling the use of the network by the attendance status, as described in claim 1, wherein the attendance card reader is a device that can read employee card data and record the commute time. 如申請專利範圍第1項所述之以出勤狀態管制網路使用權限之系統,其中該網路權限控制伺服器可將出勤資料伺服器所記錄之員工上下班時間與員工基本資料結合,以產生一使用者出勤資料庫。 The system for controlling the use of the network by the attendance status, as described in claim 1, wherein the network authority control server can combine the employee's commute time recorded by the attendance data server with the employee basic data to generate A user attendance database. 如申請專利範圍第1項所述之以出勤狀態管制網路使用權限之系統,其中該網路權限控制伺服器係為能執行ARP request,獲得目前於此區域網路內所有開機的電腦列表。 For example, in the system of claim 1, the system for controlling the use of the network by the attendance state, wherein the network access control server is capable of executing an ARP request, and obtaining a list of all computers currently booted in the local area network. 如申請專利範圍第1項所述之以出勤狀態管制網路使用權限之系統,其中該網路權限控制伺服器可比對使用者出勤資料庫與區域網路內所有開機的電腦列表,並且能發送連續ARP reply,阻斷無權使用網際網路的電腦設備連上網際網路的能力。 The system for controlling the use of the network by the attendance status, as described in claim 1, wherein the network authority control server can compare the user attendance database with a list of all the computers in the local area network and can send Continuous ARP reply, blocking the ability of computers that do not have access to the Internet to connect to the Internet. 如申請專利範圍第1項所述之以出勤狀態管制網路使用權限之系統,其中該Switch為可以連結區域網路電腦之交換設備。 For example, the system for controlling the use of the network by the attendance state as described in the first item of the patent scope, wherein the switch is a switching device that can connect to the local area network computer. 一種以出勤狀態管制網路使用權限之方法,其步驟包括:a.員工以IC卡於出勤讀卡機執行上下班簽到退;b.出勤資料伺服器收集及記錄員工的上下班簽到時間;c.網路權限管制伺服器結合出勤資料伺服器所記錄之員工上下班時間與員工基本資料,以產生一使用者出勤資料庫,並定時執行ARP request,可獲得目前於此區域網路內所有開機的電腦之IP及MAC列表;d.網路權限管制伺服器比對使用者出勤資料庫與目前所有開機的電腦之IP及MAC列表,若發現未出勤者的電腦處於開機狀態,網路權限管制伺服器將連續發送ARP reply,將目標電腦ARP table中的gateway的實體位址(physical address)改掉,使目標電腦無法上網;e.若該電腦屬於合法可上網的電腦,網路權限管制伺服器將發送一次ARP reply,將目標電腦ARP table中的gateway的實體位址改回正確值。 A method for controlling the use of the network by the attendance state, the steps of which include: a. the employee performs the check-in and check-out with the IC card on the attendance card reader; b. the attendance data server collects and records the employee's check-in time; c The network authority control server combines the employee's commute time and employee basic data recorded by the attendance data server to generate a user attendance database, and periodically executes the ARP request to obtain all the current startups in the local area network. The IP and MAC list of the computer; d. The network authority control server compares the IP and MAC list of the user attendance database with all currently powered on computers, and if the computer of the non-attendance is found to be powered on, the network authority controls The server will continuously send the ARP reply, and the physical address of the gateway in the target computer ARP table will be changed, so that the target computer cannot access the Internet; e. If the computer belongs to a legitimate Internet-accessible computer, the network authority control servo The device will send an ARP reply to change the physical address of the gateway in the target computer ARP table back to the correct value. 如申請專利範圍第7項所述之以出勤狀態管制網路使用權限之方法,其中該使用者出勤資料庫之內容包含員工基本資料、員工所登記的電腦IP與MAC對應資料、員工上下班簽到時間等。 For example, in the method of claim 7, the method for controlling the use of the network by the attendance status, wherein the content of the user attendance database includes the basic information of the employee, the computer IP and MAC corresponding information registered by the employee, and the employee attending the work registration. Time and so on. 如申請專利範圍第7項所述之以出勤狀態管制網路使用權限之方法,其中發現未出勤者的電腦處於開機狀態係由網路權限管制伺服器比對未出勤員工所登記的電腦IP及MAC對應資料與目前所有開機的電腦之IP及MAC列表。 For example, in the method of claim 7, the method for controlling the use of the network by the attendance state, wherein it is found that the computer of the non-attendance is turned on, and the network authority control server compares the IP of the computer registered by the unworked employee and The MAC corresponds to the IP and MAC list of all currently powered computers.
TW98100802A 2009-01-10 2009-01-10 System and method for controlling network usage rights in attendance state TWI396144B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW98100802A TWI396144B (en) 2009-01-10 2009-01-10 System and method for controlling network usage rights in attendance state

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW98100802A TWI396144B (en) 2009-01-10 2009-01-10 System and method for controlling network usage rights in attendance state

Publications (2)

Publication Number Publication Date
TW201027462A TW201027462A (en) 2010-07-16
TWI396144B true TWI396144B (en) 2013-05-11

Family

ID=44853218

Family Applications (1)

Application Number Title Priority Date Filing Date
TW98100802A TWI396144B (en) 2009-01-10 2009-01-10 System and method for controlling network usage rights in attendance state

Country Status (1)

Country Link
TW (1) TWI396144B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI615002B (en) * 2016-11-02 2018-02-11 國立臺北科技大學 Method and System for Network Connection Authority Controlling

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI228902B (en) * 2002-06-12 2005-03-01 Rdc Semiconductor Co Ltd Method and system for controlling and managing network security
TW200643706A (en) * 2005-06-06 2006-12-16 Mosdan Internat Co Ltd Method to use network switch for controlling computer access to network system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI228902B (en) * 2002-06-12 2005-03-01 Rdc Semiconductor Co Ltd Method and system for controlling and managing network security
TW200643706A (en) * 2005-06-06 2006-12-16 Mosdan Internat Co Ltd Method to use network switch for controlling computer access to network system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
呂少青、葉乃菁," 網路概論", 文魁資訊,2008年8月 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI615002B (en) * 2016-11-02 2018-02-11 國立臺北科技大學 Method and System for Network Connection Authority Controlling

Also Published As

Publication number Publication date
TW201027462A (en) 2010-07-16

Similar Documents

Publication Publication Date Title
Alwarafy et al. A survey on security and privacy issues in edge-computing-assisted internet of things
US20190052647A1 (en) Managing Access to User Profile Information via a Distributed Transaction Database
CN104717223B (en) Data access method and device
KR20060117570A (en) Method and apparatus for managing individual information
US10749851B2 (en) Network monitoring method and device
Kapoor et al. Privacy issues in wearable technology: An intrinsic review
US10515187B2 (en) Artificial intelligence (AI) techniques for learning and modeling internal networks
TWI396144B (en) System and method for controlling network usage rights in attendance state
Decker et al. eSeal–a system for enhanced electronic assertion of authenticity and integrity
US10148669B2 (en) Out-of-band encryption key management system
Ladan E-Commerce security issues
Fatima et al. Home Automation and RFID-Based Internet of Things Security: Challenges and Issues
El Bouanani et al. Towards understanding internet of things security and its empirical vulnerabilities: a survey
Vaughan et al. Bringing them in and checking then out: Laptop use in the modern academic library
CN105991524A (en) Family information security system
Daniel Hidden dangers of Internet of Things
TWI468979B (en) System and method for integrating access control and information facilities
Kagita Security and privacy issues for business intelligence in IoT
Omar et al. Blockchain for Enhancing Security of IoT Devices
US10523715B1 (en) Analyzing requests from authenticated computing devices to detect and estimate the size of network address translation systems
JP2008250869A (en) Management system, management server and management program
Badhwar et al. Cybersecurity lessons from the breach of physical security at US capitol building
You et al. Defending against insider threats and internal data leakage
Nancy Ambritta et al. Proposed identity and access management in future internet (IAMFI): a behavioral modeling approach
de Borde Selecting a two-factor authentication system

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees