TWI714386B - Method for detecting hidden network address and management server - Google Patents
Method for detecting hidden network address and management server Download PDFInfo
- Publication number
- TWI714386B TWI714386B TW108144951A TW108144951A TWI714386B TW I714386 B TWI714386 B TW I714386B TW 108144951 A TW108144951 A TW 108144951A TW 108144951 A TW108144951 A TW 108144951A TW I714386 B TWI714386 B TW I714386B
- Authority
- TW
- Taiwan
- Prior art keywords
- terminal computer
- http packet
- network
- address
- private
- Prior art date
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本發明是有關於一種網路安全技術,且特別是有關於一種探知隱匿網路位址的方法及管控伺服器。The present invention relates to a network security technology, and particularly relates to a method for detecting hidden network addresses and controlling servers.
企業網路內部IP掃描作業通常因受限於網路位址轉換(Network Address Translation,NAT)裝置,其又稱網路掩蔽、IP掩蔽裝置。由於NAT裝置的私有IP(Private IP)特性可將終端電腦架設於NAT裝置的內部封閉網段內,規避企業IP管控系統,從而直接導致發生資安風險的死角。IP scanning operations in corporate networks are usually limited by network address translation (NAT) devices, which are also called network masking and IP masking devices. Due to the private IP (Private IP) feature of the NAT device, the terminal computer can be set up in the internal closed network segment of the NAT device, circumventing the corporate IP control system, which directly leads to a dead end of information security risk.
有鑑於此,本發明提供一種探知隱匿網路位址的方法及管控伺服器,其可用於解決上述技術問題。In view of this, the present invention provides a method for detecting hidden network addresses and a control server, which can be used to solve the above technical problems.
本發明提供一種探知隱匿網路位址的方法,適於一管控伺服器,所述方法包括:從一網路位址轉換裝置接收來自一終端電腦的一第一HTTP封包,其中終端電腦經網路位址轉換裝置分配有一私有IP位址,且第一HTTP封包具有一第一使用者代理欄位;反應於判定第一HTTP封包的第一使用者代理欄位的內容為新內容,判定終端電腦為一未受管控裝置,並阻擋第一HTTP封包被傳送至連接於網路位址轉換裝置的一代理伺服器;要求終端電腦安裝一外掛程式元件,其中外掛程式元件用以蒐集終端電腦的私有IP位址;接收並記錄外掛程式元件蒐集的私有IP位址,並要求代理伺服器將私有IP位址加入至一白名單。The present invention provides a method for detecting hidden network addresses, which is suitable for a control server. The method includes: receiving a first HTTP packet from a terminal computer from a network address conversion device, wherein the terminal computer is connected to the network The path address conversion device is assigned a private IP address, and the first HTTP packet has a first user agent field; in response to determining that the content of the first user agent field of the first HTTP packet is new content, the terminal is determined The computer is an uncontrolled device and blocks the first HTTP packet from being sent to a proxy server connected to the network address conversion device; the terminal computer is required to install a plug-in component, and the plug-in component is used to collect the terminal computer’s information Private IP address: Receive and record the private IP address collected by the plug-in component, and request the proxy server to add the private IP address to a whitelist.
本發明提供一種管控伺服器,包括儲存電路及處理器。儲存電路儲存多個模組。處理器耦接儲存電路,存取前述模組以執行下列步驟:從一網路位址轉換裝置接收來自一終端電腦的一第一HTTP封包,其中終端電腦經網路位址轉換裝置分配有一私有IP位址,且第一HTTP封包具有一第一使用者代理欄位;反應於判定第一HTTP封包的第一使用者代理欄位的內容為新內容,判定終端電腦為一未受管控裝置,並阻擋第一HTTP封包被傳送至連接於網路位址轉換裝置的一代理伺服器;要求終端電腦安裝一外掛程式元件,其中外掛程式元件用以蒐集終端電腦的私有IP位址;接收並記錄外掛程式元件蒐集的私有IP位址,並要求代理伺服器將私有IP位址加入至一白名單。The invention provides a management and control server, which includes a storage circuit and a processor. The storage circuit stores multiple modules. The processor is coupled to the storage circuit and accesses the aforementioned module to perform the following steps: Receive a first HTTP packet from a terminal computer from a network address conversion device, wherein the terminal computer is assigned a private address via the network address conversion device IP address, and the first HTTP packet has a first user agent field; in response to determining that the content of the first user agent field of the first HTTP packet is new content, it is determined that the terminal computer is an uncontrolled device, And block the first HTTP packet from being sent to a proxy server connected to the network address conversion device; request the terminal computer to install a plug-in component, where the plug-in component is used to collect the private IP address of the terminal computer; receive and record The private IP address collected by the plug-in component and request the proxy server to add the private IP address to a whitelist.
為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。In order to make the above-mentioned features and advantages of the present invention more comprehensible, the following specific embodiments are described in detail in conjunction with the accompanying drawings.
請參照圖1,其是依據本發明之一實施例繪示的網路系統示意圖。如圖1所示,網路系統100包括管控伺服器101、NAT裝置102、終端電腦103、104、代理伺服器105、外部網路106。Please refer to FIG. 1, which is a schematic diagram of a network system according to an embodiment of the present invention. As shown in FIG. 1, the
管控伺服器101例如是用於管理企業網路之專用伺服器,其可包括儲存電路1011及處理器1012。儲存電路1011例如是任意型式的固定式或可移動式隨機存取記憶體(Random Access Memory,RAM)、唯讀記憶體(Read-Only Memory,ROM)、快閃記憶體(Flash memory)、硬碟或其他類似裝置或這些裝置的組合,而可用以記錄多個程式碼或模組。The
處理器1012耦接於儲存電路1011,並可為一般用途處理器、特殊用途處理器、傳統的處理器、數位訊號處理器、多個微處理器(microprocessor)、一個或多個結合數位訊號處理器核心的微處理器、控制器、微控制器、特殊應用積體電路(Application Specific Integrated Circuit,ASIC)、現場可程式閘陣列電路(Field Programmable Gate Array,FPGA)、任何其他種類的積體電路、狀態機、基於進階精簡指令集機器(Advanced RISC Machine,ARM)的處理器以及類似品。The
在本發明的實施例中,管控伺服器101可提供網路或IP管理人員有效迅速的進行管理,清楚了解目前IP使用狀況,並可管控每個IP與設定,負責執行監測IP與身分認證程序,負責偵測由NAT之內部私有IP之HTTP封包,並提供瀏覽器之外掛程式元件106給未受管控裝置(例如終端電腦104)下載安裝,取得相關回傳資訊。In the embodiment of the present invention, the management and
NAT裝置102例如是企業網路中,用於提供私有IP(Private IP)的內部封閉網路架構之設備。終端電腦103例如是企業網路中,已經受到管控伺服器101管控之終端裝置,而終端電腦104例如是企業網路中,尚未受到管控伺服器101管控之終端裝置。在本發明的實施例中,終端電腦104的私有IP位址例如是為本發明的方法主要想要探知並揭露的標的物。The
代理伺服器105例如是企業網路中,具備網路連線(Intranet)至外部網路(Internet)之代理功能。並且,代理伺服器105可用於隔絕外部網路與企業網路終端,進而達到保護企業網路的隱私或安全,並防止攻擊。在本發明的實施例中,代理伺服器105可與管控伺服器101介接的架構可達到控管上網的效果,並強迫未受管控裝置(例如終端電腦104)執行接受控管的程序。The
外掛程式元件106例如是瀏覽器之外掛元件(可採用Java Applet實現)。在本發明的實施例中,當未受管控裝置(例如終端電腦104)的瀏覽器欲連至外部網路(Internet)時,管控伺服器101將透過網路將外掛程式元件106發送至終端電腦104的瀏覽器並要求安裝。在終端電腦104完成外掛程式元件106的安裝之後,外掛程式元件106會將終端電腦104之IP、網卡MAC與主機名稱等資訊給管控伺服器101,但可不限於此。The plug-in
請參照圖2,其是依據本發明之一實施例繪示的探知隱匿網路位址的方法流程圖。本實施例的方法可由圖1的網路系統100執行,以下即搭配圖1所示的元件說明圖2各步驟的細節。Please refer to FIG. 2, which is a flowchart of a method for detecting a hidden network address according to an embodiment of the present invention. The method of this embodiment can be executed by the
首先,在終端電腦104(即,未受管控裝置)介接網路至NAT裝置102時,NAT裝置102將在步驟201中分配私有IP位址(例如,192.168.1.2)予終端電腦104,使得終端電腦104可在取得私有IP位址後開始傳送網路封包(例如圖2所示的第一HTTP封包),但此階段企業管理者並無法得知終端電腦104之相關資訊。First, when the terminal computer 104 (ie, an unmanaged device) interfaces the network to the
在NAT裝置102接收來自終端電腦104的第一HTTP封包之後,可將此第一HTTP封包轉傳至管控伺服器101,以供管控伺服器101作進一步檢視。After the
在本實施例中,第一HTTP封包可包括第一使用者代理(user agent)欄位,其內容可記錄有終端電腦104的作業系統所對應的第一作業系統字串,以及終端電腦104的瀏覽器及第一瀏覽器名稱與版本字串。在不同的實施例中,上述第一作業系統字串可以是「Windows NT 10.0」或「Win64; x64」等態樣,而第一瀏覽器名稱與版本字串可以是「Chrome/77.0.3865.90」或「Safari/537.36」等態樣,但本發明可不限於此。In this embodiment, the first HTTP packet may include a first user agent (user agent) field, and its content may record the first operating system string corresponding to the operating system of the
在管控伺服器101取得第一HTTP封包之後,可判斷第一HTTP封包的第一使用者代理欄位的內容是否為新內容。在一實施例中,管控伺服器101可判斷第一作業系統字串及第一瀏覽器名稱與版本字串的至少其中之一是否為新。若是,則管控伺服器101可判定終端電腦104為未受管控裝置,並在步驟202中判定第一HTTP封包的第一使用者代理欄位的內容為新內容,但本發明可不限於此。After the
在判定第一HTTP封包的第一使用者代理欄位的內容為新內容之後,管控伺服器101可阻擋第一HTTP封包被傳送至連接於代理伺服器105,並進一步要求終端電腦104安裝先前提及的外掛程式元件106。相應地,終端電腦104可在步驟203中安裝外掛程式元件106。After determining that the content of the first user agent field of the first HTTP packet is new content, the
在本發明的實施例中,外掛程式元件106可用於蒐集終端電腦104的私有IP位址(即,192.168.1.2)、網卡MAC位址及主機名稱,並將這些蒐集到的資訊提供至管控伺服器101,但可不限於此。In the embodiment of the present invention, the plug-in
在管控伺服器101接收到外掛程式元件106提供的終端電腦104的私有IP位址之後,管控伺服器101可在步驟204中將此私有IP位址記錄於管控伺服器101的資料庫中。在一實施例中,管控伺服器101可比對原有資料庫中的活動IP列表(其欄位可包含IP資訊、網卡MAC資訊、主機名稱資訊、管控狀態等),並依據管控狀態為未控管之裝置,輸出管控名單列表。之後,管控伺服器101可再針對未管控之裝置列表進行管控設定,但本發明可不限於此。After the
並且,管控伺服器101還可通知代理伺服器105將終端電腦104的私有IP位址記錄於白名單中。相應地,代理伺服器105可依管控伺服器101的通知而執行步驟205,以將終端電腦104的私有IP位址記錄於白名單中,並回傳確認訊息至管控伺服器101,以告知管控伺服器101。在此情況下,終端電腦104可視為已從未受管控裝置變為已受管控裝置。In addition, the management and
在圖2中,假設終端電腦104(即,已受管控裝置)欲另發送一第二HTTP封包(其包括第二使用者代理欄位)至外部網路106,則管控伺服器101可在判定第二HTTP封包的第二使用者代理欄位的內容不為新內容(因其完全相同於第一HTTP封包的第一使用者代理欄位的內容)之後,允許(即,不阻擋)代理伺服器105將第二HTTP封包轉送/放行至外部網路106。In Figure 2, assuming that the terminal computer 104 (that is, the controlled device) wants to send a second HTTP packet (which includes a second user agent field) to the
並且,在代理伺服器105接收到第二HTTP封包並在步驟206中確認其屬於白名單之後,可相應地放行第二HTTP封包至外部網路106。Moreover, after the
請參照圖3,其是依據本發明之一實施例繪示的探知隱匿網路位址的方法流程圖。本實施例的方法可由圖1的管控伺服器101執行,以下即搭配圖1的內容說明圖3各步驟。Please refer to FIG. 3, which is a flowchart of a method for detecting a hidden network address according to an embodiment of the present invention. The method of this embodiment can be executed by the
首先,在步驟S310中,處理器1012可從NAT裝置102接收來自終端電腦104的第一HTTP封包。在步驟S320中,反應於判定第一HTTP封包的第一使用者代理欄位的內容為新內容,處理器1012可判定終端電腦104為未受管控裝置,並阻擋第一HTTP封包被傳送至代理伺服器105。在步驟S330中,處理器1012可要求終端電腦104安裝外掛程式元件106。在步驟S340中,處理器1012可接收並記錄外掛程式元件106蒐集的私有IP位址,並要求代理伺服器105將私有IP位址加入至白名單。圖3各步驟的細節可參照先前實施例中的說明,於此不另贅述。First, in step S310, the
綜上所述,本發明可在取得(未受管控的)終端電腦發送的HTTP封包之後,對其進行分析並記錄封包內容,並配合瀏覽器之外掛程式元件技術,取得終端電腦的相關特徵資訊(例如終端電腦的作業系統版本與使用的網路瀏覽器版本)等,以達到揭露網路中隱匿之電腦為目的。藉此,本發明可探知隱匿真實IP的電腦存在,並進而加以降低因未控管的電腦可能引發的資安風險。In summary, the present invention can analyze and record the contents of the HTTP packet sent by the terminal computer (uncontrolled), and cooperate with the browser plug-in component technology to obtain relevant feature information of the terminal computer. (For example, the operating system version of the terminal computer and the version of the web browser used), etc., for the purpose of exposing hidden computers in the network. In this way, the present invention can detect the existence of a computer hiding the real IP, and further reduce the information security risk that may be caused by the uncontrolled computer.
由上可知,本發明至少具有以下特點:(1)可快速且精確的達到揭露網路中活動利用NAT網路架構的私有IP終端電腦的目的,利用乙太網(Ethernet)標準之網路通訊協定與封包擷取為基礎架構,可在無特殊硬體需求或網路環境限制的情境下以純軟體形式實作,無需花費高成本建置硬體設備;(2)利用以未受管控裝置的HTTP封包自動判別技術所擷取出的本機作業系統與瀏覽器組態資訊,搭配瀏覽器之外掛程式元件技術,取得該電腦裝置特徵資訊,可判別活動設備存在於一般網路或隱匿於NAT網路環境下,達到全面性與反隱匿的偵測效果;(3)可建立企業內部全面性的IP整合管理機制,充分提升網路品質與效能。透過管控伺服器便可提供網路或IP管理人員有效迅速的進行管理,清楚了解目前IP使用狀況。It can be seen from the above that the present invention has at least the following features: (1) It can quickly and accurately achieve the purpose of exposing activities in the network using a private IP terminal computer using the NAT network architecture, and using the Ethernet standard network communication Protocol and packet capture are the infrastructure, which can be implemented in pure software form without special hardware requirements or network environment restrictions, without the need to build hardware equipment at a high cost; (2) Using uncontrolled devices The local operating system and browser configuration information extracted by the HTTP packet automatic identification technology, combined with the browser plug-in component technology, obtains the characteristic information of the computer device, and can determine whether the active equipment exists in the general network or hidden in the NAT network Under the road environment, it can achieve comprehensive and anti-concealment detection effects; (3) A comprehensive IP integrated management mechanism within the enterprise can be established to fully improve network quality and efficiency. The control server can provide network or IP management personnel to effectively and quickly manage, and clearly understand the current IP usage status.
雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention. Anyone with ordinary knowledge in the technical field can make some changes and modifications without departing from the spirit and scope of the present invention. The scope of protection of the present invention shall be determined by the scope of the attached patent application.
100:網路系統
101:管控伺服器
1011:儲存電路
1012:處理器
102:NAT裝置
103、104:終端電腦
105:代理伺服器
106:外部網路
201~206、S310~S340:步驟100: network system
101: Control server
1011: storage circuit
1012: processor
102:
圖1是依據本發明之一實施例繪示的網路系統示意圖。 圖2是依據本發明之一實施例繪示的探知隱匿網路位址的方法流程圖。 圖3是依據本發明之一實施例繪示的探知隱匿網路位址的方法流程圖。 FIG. 1 is a schematic diagram of a network system according to an embodiment of the present invention. FIG. 2 is a flowchart of a method for detecting a hidden network address according to an embodiment of the present invention. Fig. 3 is a flowchart of a method for detecting a hidden network address according to an embodiment of the present invention.
S310~S340:步驟 S310~S340: steps
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW108144951A TWI714386B (en) | 2019-12-09 | 2019-12-09 | Method for detecting hidden network address and management server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW108144951A TWI714386B (en) | 2019-12-09 | 2019-12-09 | Method for detecting hidden network address and management server |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI714386B true TWI714386B (en) | 2020-12-21 |
TW202123650A TW202123650A (en) | 2021-06-16 |
Family
ID=74669709
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW108144951A TWI714386B (en) | 2019-12-09 | 2019-12-09 | Method for detecting hidden network address and management server |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI714386B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI440334B (en) * | 2009-04-02 | 2014-06-01 | Chunghwa Telecom Co Ltd | Monitoring computer devices and intercepting DNS packets based on Internet control methods and systems |
CN106302237A (en) * | 2016-08-30 | 2017-01-04 | 成都科来软件有限公司 | A kind of method utilizing packet content identification mobile terminal |
TWI628936B (en) * | 2017-04-25 | 2018-07-01 | 中華電信股份有限公司 | Automatic control system for controlling the existence of internet protocol address device and control method thereof |
US20190089736A1 (en) * | 2015-03-18 | 2019-03-21 | Cequence Security, Inc. | Passive detection of forged web browsers |
-
2019
- 2019-12-09 TW TW108144951A patent/TWI714386B/en active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI440334B (en) * | 2009-04-02 | 2014-06-01 | Chunghwa Telecom Co Ltd | Monitoring computer devices and intercepting DNS packets based on Internet control methods and systems |
US20190089736A1 (en) * | 2015-03-18 | 2019-03-21 | Cequence Security, Inc. | Passive detection of forged web browsers |
CN106302237A (en) * | 2016-08-30 | 2017-01-04 | 成都科来软件有限公司 | A kind of method utilizing packet content identification mobile terminal |
TWI628936B (en) * | 2017-04-25 | 2018-07-01 | 中華電信股份有限公司 | Automatic control system for controlling the existence of internet protocol address device and control method thereof |
Also Published As
Publication number | Publication date |
---|---|
TW202123650A (en) | 2021-06-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8972571B2 (en) | System and method for correlating network identities and addresses | |
US8631499B2 (en) | Platform for analyzing the security of communication protocols and channels | |
US7646728B2 (en) | Network monitoring and intellectual property protection device, system and method | |
JP4827972B2 (en) | Network monitoring device, network monitoring method, and network monitoring program | |
CN105743878B (en) | Dynamic service handling using honeypots | |
CN104601570A (en) | Network security monitoring method based on bypass monitoring and software packet capturing technology | |
WO2021139643A1 (en) | Method and apparatus for detecting encrypted network attack traffic, and electronic device | |
US9444821B2 (en) | Management server, communication cutoff device and information processing system | |
CN111447089B (en) | Terminal asset identification method and device and computer readable storage medium | |
JP2007295039A (en) | Device and method for detecting network address converter | |
US8161558B2 (en) | Network management and administration | |
CN112437100A (en) | Vulnerability scanning method and related equipment | |
CN109617972B (en) | Connection establishing method and device, electronic equipment and storage medium | |
WO2020132949A1 (en) | Industrial control system monitoring method, device and system, and computer-readable medium | |
CN112532658B (en) | Cloud network escape event scanning method and device and computer readable storage medium | |
TWI714386B (en) | Method for detecting hidden network address and management server | |
JP2014063349A (en) | Malware detection device and method | |
KR101491322B1 (en) | Self-configuring local area network security | |
US10015179B2 (en) | Interrogating malware | |
TWI628936B (en) | Automatic control system for controlling the existence of internet protocol address device and control method thereof | |
KR101997181B1 (en) | Apparatus for managing domain name servide and method thereof | |
CN114629683B (en) | Access method, device, equipment and storage medium of management server | |
WO2024116666A1 (en) | Detection system, detection method, and program | |
CN107196905B (en) | Trusted network access client and access method for Windows platform | |
JP2006093751A (en) | Wan/lan connection automatic control apparatus, wan/lan connection method, and echo server |