WO2009109118A1 - 一种终端接入控制方法、网络设备及系统 - Google Patents

一种终端接入控制方法、网络设备及系统 Download PDF

Info

Publication number
WO2009109118A1
WO2009109118A1 PCT/CN2009/070458 CN2009070458W WO2009109118A1 WO 2009109118 A1 WO2009109118 A1 WO 2009109118A1 CN 2009070458 W CN2009070458 W CN 2009070458W WO 2009109118 A1 WO2009109118 A1 WO 2009109118A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
security
server
network
request
Prior art date
Application number
PCT/CN2009/070458
Other languages
English (en)
French (fr)
Inventor
任兰芳
庄小君
尹瀚
贾科
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2009109118A1 publication Critical patent/WO2009109118A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • Terminal access control method, network device and system The application is submitted to the Chinese Patent Office on February 29, 2008, and the application number is 200810065495.0, and the invention name is "a security state evaluation method for terminal access, network equipment and Chinese patent application of the system, and the Chinese patent application filed on May 28, 2008, the application number is 200810098771.3, and the invention title is "a terminal security state assessment method, network equipment and system” priority of Chinese patent application, The entire contents of this application are incorporated herein by reference.
  • the embodiments of the present invention relate to the field of communications technologies, and in particular, to a terminal access control method, a network device, and a system. Background technique
  • virus technology has also developed rapidly.
  • the large amount of data traffic transmitted in the network is the garbage data generated by the virus and the detection and attack traffic, which causes waste of resources, seriously affects the network efficiency and security of the operator, and also generates the user terminal and service.
  • Adverse effects and security threats As users gain more diverse services, they also add to the security risks they and their networks.
  • the collection of the terminal integrity metric information and the security state assessment are performed in the visited network, and the resources of the visited network before the home network or the roaming network of the terminal are not fully utilized, and the home network or the visited network before roaming has been used.
  • the obtained integrity metric information or the result of the security status assessment results in excessive network load and waste of resources.
  • the embodiment of the present invention provides a terminal access control method, which is applied to a first security domain and a second security domain, and the method includes:
  • the embodiment of the present invention provides a terminal access control method, which is applied to a first security domain and a second security domain, and the method includes:
  • the second security domain receives an access request from the terminal
  • the second security domain obtains a security policy from the first security domain, obtains corresponding integrity metric information from the terminal according to the security policy, and performs security state assessment on the terminal according to the integrity metric information to obtain a security state. Or the second security domain sends a security policy to the first security domain, where the first security domain obtains corresponding integrity metric information from the terminal according to the security policy, according to the integrity metric. The information is evaluated by the security status of the terminal to obtain a security status assessment result, and the security status assessment result is provided to the second security domain.
  • the embodiment of the present invention further provides a terminal access control method, where the first security domain stores the security state evaluation result and the integrity metric information of the terminal, and when the terminal accesses the second security domain, the method includes: The second security domain receives the access from the terminal. Summing the information including the first security domain identifier; the second security domain initiates the security state assessment result and/or the integrity metric information request of the terminal to the first security domain according to the first security domain identifier, Pre-established or temporarily established security metric information between a security domain.
  • the embodiment of the present invention further provides a network system, including: a first server of a first security domain and a second server of a second security domain, where:
  • the second server is configured to receive an access request from the terminal, request a security policy from the first security domain, obtain a security policy from the first server, and obtain, according to the security policy, the terminal from the terminal Corresponding integrity metric information, performing security state assessment on the terminal according to the integrity metric information, and obtaining a security state assessment result;
  • the first server is configured to send a security policy to the second server.
  • the embodiment of the present invention further provides a network system, including: a first server of a first security domain and a second server of a second security domain, where:
  • the second server is configured to receive an access request from the terminal, request the first security domain to perform security state assessment on the terminal, send a security policy to the first server, and receive a pair of terminals from the first server.
  • Safety status assessment results
  • the first server is configured to obtain a security policy from the second server, obtain corresponding integrity metric information from the terminal according to the security policy, and perform security state assessment on the terminal according to the integrity metric information to obtain security
  • the status evaluation result is fed back to the second server.
  • the embodiment of the invention further provides a network device, including:
  • An access request receiving unit configured to receive an access request from the terminal
  • a security policy obtaining unit configured to request a security policy from the first security domain of the terminal according to the access request, to obtain the security policy
  • a security status evaluation unit configured to obtain, according to the security policy acquired by the security policy acquiring unit, integrity metric information from the terminal, perform security state assessment on the terminal according to the integrity metric information, and obtain a security status. evaluation result.
  • the embodiment of the invention further provides a network device, including:
  • An access request receiving unit configured to receive an access request from the terminal
  • a security assessment requesting unit configured to request the first security domain of the terminal to perform a security state assessment on the terminal, and send a security policy to the first security domain
  • the security status assessment result receiving unit is configured to receive a security status assessment result from the first security domain to the terminal.
  • the embodiment of the invention further provides a terminal access control method, including:
  • the second security domain receives a communication request from the terminal
  • the second security domain or the terminal requests the first security domain to perform a security status assessment on the terminal;
  • the embodiment of the invention further provides a network device, including:
  • a communication request receiving unit configured to receive a communication request from the terminal
  • a security status assessment result requesting unit configured to request the first security domain of the terminal to perform a security status assessment on the terminal
  • the security status assessment result receiving unit is configured to receive a security status assessment result from the first security domain to the terminal.
  • the embodiment of the present invention further provides a network system, including: a first server of a first security domain and a second server of a second security domain, where:
  • the second server is configured to receive a communication request from the terminal, request the first security domain to perform a security state assessment on the terminal, and receive a security state assessment result from the first server to the terminal;
  • the first server is configured to receive a security status assessment request from the second server or from the terminal, and according to the request, evaluate the security status according to the integrity metric information received from the terminal, and obtain a security status assessment result, Evaluation results are provided to the first Two servers.
  • the embodiment of the invention further provides a terminal access control method, including:
  • the second security domain receives a communication request from the terminal
  • the second security domain or the terminal requests the first security domain to collect integrity metric information of the terminal;
  • the second security domain receives the terminal integrity metric information from the first security domain, where the terminal integrity metric information is collected by the first security domain according to the request of the second security domain or the terminal;
  • the second security domain performs a security state assessment on the terminal according to the integrity metric information, and obtains a security state assessment result.
  • the embodiment of the invention further provides a network device, including:
  • a communication request receiving unit configured to receive a communication request from the terminal
  • An integrity metric information requesting unit configured to request the first security domain of the terminal to collect integrity metric information of the terminal
  • An integrity metric information receiving unit configured to receive integrity metric information of the terminal collected from the first security domain
  • the security state evaluation unit is configured to perform security state evaluation on the terminal according to the integrity metric information acquired by the integrity metric information receiving unit, to obtain a security state evaluation result.
  • the embodiment of the present invention further provides a network system, including: a first server of a first security domain and a second server of a second security domain, where:
  • the second server is configured to receive a communication request from the terminal, request the first security domain to collect integrity metric information of the terminal, and receive integrity metric information of the terminal collected by the first server;
  • the integrity metric information is used to perform a security state assessment on the terminal, and obtain a security state assessment result;
  • the first server is configured to receive an integrity metric information request from the second server or the terminal, and collect the integrity metric information of the terminal according to the request, and provide the integrity metric information to the second server.
  • the embodiment of the invention further provides a terminal access control method, where the terminal is from the first security domain.
  • Obtaining credential information the method includes:
  • the second security domain receives the communication request from the terminal and the credential information; the second security domain verifies the validity of the credential information, and obtains a security status evaluation result for the terminal.
  • the embodiment of the invention further provides a network device, including:
  • a communication request receiving unit configured to receive a communication request from the terminal
  • a voucher information receiving unit configured to receive voucher information from the terminal
  • the credential information verification unit is configured to verify the validity of the credential information, and obtain a response to the access request of the terminal.
  • the embodiment of the present invention further provides a network system, including: a first server of a first security domain and a second server of a second security domain, where:
  • the first server is configured to provide credential information to the terminal
  • the second server is configured to receive a communication request from the terminal and the credential information; verify validity of the credential information, and obtain a response to an access request of the terminal.
  • the embodiment of the present invention fully utilizes the first security domain of the terminal to obtain the security state information of the terminal, improves the utilization efficiency and security of the information and the network, reduces the network load, and resolves the security state information.
  • FIG. 1 is a flowchart of a terminal access control method according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic diagram of a second network server according to Embodiment 1 of the present invention
  • FIG. 3 is a schematic diagram of a first network server according to Embodiment 1 of the present invention
  • 4 is a schematic diagram of a system networking of the first embodiment of the present invention
  • FIG. 5 is a flowchart of a terminal access control method according to Embodiment 2 of the present invention.
  • FIG. 6 is a schematic diagram of a second network server according to Embodiment 2 of the present invention
  • FIG. 7 is a schematic diagram of a first network server according to Embodiment 1 of the present invention
  • FIG. 8 is a flowchart of a terminal access control method according to Embodiment 3 of the present invention
  • FIG. 9 is a schematic structural diagram of a second network server according to Embodiment 3 of the present invention.
  • FIG. 10 is a schematic structural diagram of a first network server according to Embodiment 3 of the present invention.
  • FIG. 11 is a flowchart of a terminal access control method according to Embodiment 4 of the present invention.
  • FIG. 13 is a schematic structural diagram of a second network server according to Embodiment 5 of the present invention.
  • FIG. 14 is a schematic structural diagram of a first network server according to Embodiment 5 of the present invention.
  • Embodiment 15 is a schematic diagram of a system networking of Embodiment 5 of the present invention.
  • FIG. 16 is a flowchart of a terminal access control method according to Embodiment 6 of the present invention.
  • FIG. 17 is a schematic structural diagram of a second network server according to Embodiment 6 of the present invention.
  • FIG. 18 is a schematic structural diagram of a first network server according to Embodiment 6 of the present invention.
  • Embodiment 6 of the present invention is a schematic diagram of a system networking of Embodiment 6 of the present invention.
  • FIG. 21 is a schematic structural diagram of a second network server according to Embodiment 7 of the present invention.
  • FIG. 22 is a schematic structural diagram of a first network server according to Embodiment 7 of the present invention.
  • FIG. 23 is a schematic diagram of a system networking of Embodiment 7 of the present invention.
  • FIG. 24 is a flowchart of a terminal access control method according to Embodiment 8 of the present invention. detailed description
  • the first network refers to the home network (or home network) of the terminal (or mobile terminal) or the network where the roaming was before
  • the second network refers to the visited network (or foreign network) of the terminal (or mobile terminal) or the network where the terminal is roaming, or a service providing server, or other network device.
  • the network type may be a mobile network, a fixed network, a mobile fixed mobile convergence network, etc., and may be a local area network, a metropolitan area network, a wide area network, or an access network, a core network, a transmission network, or a peer-to-peer network (P2P), a client/ Server architecture network (C/S), etc.
  • P2P peer-to-peer network
  • C/S client/ Server architecture network
  • the integrity metric information may be information that reflects the security status of the terminal, such as: the operating system version of the terminal, the patch information, the firewall version, the antivirus software version, and the browser version.
  • the terminal may be a terminal such as a mobile phone or a notebook computer, or may be another type of terminal that accesses the network by means of a mobile address (e.g., mobile IP), and the like.
  • a mobile address e.g., mobile IP
  • the communication request may be a communication request of each layer of the network, including: a physical layer, an access request of the link layer, and a service or service request of the application layer.
  • a request for accessing a network as a communication request is taken as an example.
  • the embodiment of the present invention provides an access control method for a terminal (or a mobile terminal) to access a network, and the network 2 completes the assessment according to the security policy configuration of the network 1 .
  • the method includes:
  • Stepl The terminal initiates an access request to the network 2;
  • Step2 The network 2 completes the identity authentication of the terminal through the network 1 of the terminal;
  • Step 3 The network 2 requests the security policy configuration information corresponding to the terminal to the network 1 of the terminal;
  • the security policy may be: for example, the network needs to check whether the operating system version of the terminal is up to date, or whether the antivirus software version is up to date or the like;
  • Step4 The network 1 provides the security policy configuration information of the terminal to the network 2;
  • Network 2 requests the corresponding completeness from the terminal according to the security policy from network 1.
  • Sex metric information may be: for example, operating system version information of the terminal, or antivirus software version information;
  • Step6 The terminal responds to the network 2 requesting integrity metric information
  • Step7 Network 2 requests other integrity metric information
  • Step 8 The terminal responds to other integrity metric information requested by the network 2;
  • Step 9 The network 2 performs security state evaluation on the terminal according to the integrity metric information reported by the terminal, and obtains a security state evaluation result;
  • SteplO The network 2 responds to the access request of the terminal according to the obtained security state evaluation result, and the security state assessment allows the terminal to access, otherwise, the access may be refused, or the access failure may be prompted.
  • the terminal may be a mobile phone
  • the server of the network 1 may be an access policy decision point PDP1 of the network where the mobile phone is located
  • the server of the network 2 may be a policy decision point PDP2 of the visited network that the mobile phone wants to access after roaming.
  • the visited network will request corresponding security policy configuration information from the PDP of the home network corresponding to the mobile phone.
  • the visited network will configure the collection of integrity metrics and the assessment of the security status of the handset based on this security policy. If the evaluation is passed, access is allowed, otherwise, the mobile phone is denied access to the current visited network.
  • the second network (network 2) server in this embodiment may include: an access request receiving unit 202, configured to receive an access request from the terminal; and a security policy obtaining unit 204, configured to perform access according to the Requesting a security policy to obtain a security policy from the home network of the terminal or the visited network before roaming;
  • the security status evaluation unit 206 is configured to obtain, according to the security policy acquired by the security policy obtaining unit 204, the integrity metric information from the terminal, and perform security status assessment on the terminal according to the integrity metric information to obtain a security status assessment result.
  • the access response unit 208 is configured to respond to the access request of the terminal according to the security status assessment result obtained by the security status assessment unit 206.
  • the security status assessment allows the terminal to access, otherwise it denies access.
  • the first network (network 1) server in this embodiment may include: a security policy providing unit 302, configured to use a security policy according to the second network server. Asking to provide a security policy to the second network server.
  • the system networking diagram of this embodiment is shown in FIG. 4.
  • the system may include: a first server 402 of the network 1, and a second server 404 of the network 2, where:
  • a second server 404 configured to receive an access request from the terminal, request a security policy from the first network, obtain a security policy from the first server, and obtain a corresponding integrity metric from the terminal according to the security policy.
  • Information performing security state evaluation on the terminal according to the integrity metric information;
  • the first server 402 is configured to send a security policy to the second server.
  • the embodiment of the present invention obtains the integrity metric information of the terminal by using the home network of the terminal or the visited network before roaming, improves the efficiency and security of information utilization, and reduces the load of the visited network.
  • Embodiment 2
  • a request for accessing a network as a communication request is taken as an example.
  • Another embodiment of the present invention provides an access control method for a terminal access network. Since the network 2 itself is not equipped with a TNC architecture, the network of the terminal needs to be requested. 1 Evaluation is performed by Network 1 based on the policy configuration of Network 2, which includes:
  • Stepl The terminal initiates an access request to the network 2;
  • Step 2 The network 2 completes the identity authentication of the terminal through the network 1 of the terminal;
  • Step 3 The network 2 requests the network 1 to perform a security state assessment (including the security policy configuration information corresponding to the network in the request);
  • Step 4 The network 1 requests the corresponding integrity metric information from the terminal according to the security policy from the network 2;
  • Step 5 The terminal responds to the network 1 request integrity metric information
  • Step6 Network 1 requests other integrity metric information
  • Step 7 The terminal reports other integrity metric information
  • Step 8 Network 1 completes the security status assessment of the terminal according to the security policy configuration from the network 2;
  • Network 1 informs the network 2 of the security status assessment result; Respond.
  • the security status assessment allows the terminal to access, otherwise it may be denied access or prompt access failure. .
  • the visited network that the terminal wants to access after the terminal roams cannot perform the security state assessment on the terminal, but at the same time, it needs to be configured according to the security state of the network, and check the integrity metric information of the terminal, and finally The access request of the terminal makes an access response.
  • the visited network will send its own security policy configuration information to the PDP of the home network corresponding to the terminal, and request the home network corresponding to the terminal to complete the security state evaluation of the terminal according to the policy configuration.
  • the home network where the terminal is located is configured according to this policy.
  • the security assessment is completed by collecting the integrity measurement information of the terminal, the evaluation result is fed back to the visited network. After obtaining this evaluation result, the visiting network will make an access response to the terminal requesting access based on this evaluation result.
  • the second network (network 2) server in this embodiment may include: an access request receiving unit 602, configured to receive an access request from the terminal; and a security evaluation requesting unit 604, configured to request attribution of the terminal.
  • the network or the visited network before roaming performs security state evaluation on the terminal, and sends a security policy to the first server;
  • a security status assessment result receiving unit 606 configured to receive a security status assessment result for the terminal from the first network server
  • the access response unit 608 is configured to respond to the access request of the terminal according to the security status assessment result obtained by the security status assessment result receiving unit 606.
  • the first network (network 1) server of this embodiment may include: a security policy receiving unit 702, configured to receive a security policy from the second network server;
  • the security status evaluation unit 704 is configured to request, according to the received security policy from the second network server, the corresponding integrity metric information, and perform security status assessment on the terminal according to the integrity metric information to obtain a security status assessment result.
  • the network diagram of the system in this embodiment is the same as that shown in FIG. 4.
  • the system may include: a first server of the network 1, and a second server of the network 2, where: a second server, configured to receive an access request from the terminal; request the first network to perform security state assessment on the terminal, send a security policy to the first server, and receive a security state assessment result from the first server to the terminal ;
  • a first server configured to negotiate with the first server, obtain a security policy from the second server, obtain corresponding integrity metric information from the terminal according to the security policy, and perform, according to the integrity metric information
  • the safety status assessment returns the evaluation result to the second server.
  • the embodiment of the present invention obtains the security state evaluation result of the terminal by using the home network of the terminal or the visited network before roaming, improves the utilization efficiency and security of the network, and reduces the visited network load.
  • Embodiment 3
  • a request for accessing a network as a communication request is taken as an example.
  • Another embodiment of the present invention provides an access control method for a terminal access network, where the network 1 stores a security state evaluation result of the terminal, and the network 2 directly Using the security state assessment result of the network 1, when the security level requirement of the network 2 to the terminal is low, and the security state evaluation of the terminal is not required, only the network 1 needs to request the previous evaluation result, and the result will be used as the Reference conditions for terminal access.
  • the method includes:
  • Stepl The terminal initiates an access request to the network 2;
  • Step 2 The network 2 completes the identity authentication of the terminal through the network 1 of the terminal;
  • Step3 The network 2 directly requests the network 1 for its last evaluation result of the terminal; Step4.
  • the network 1 sends the saved security state evaluation result to the network 2;
  • Step 5 The network 2 makes an access response to the terminal with reference to the result of the security state assessment.
  • the security level of the visited network that the terminal requests to access is not high.
  • the visited network does not need to perform the integrity measurement information of the terminal—the evaluation only needs to be obtained before the terminal through the home network where the terminal is located.
  • the result of the evaluation with reference to this evaluation result, directly responds to the access request of the terminal.
  • the second network (network 2) server of this embodiment may include:
  • the access request receiving unit 902 is configured to receive an access request from the terminal.
  • the security status assessment result requesting unit 904 is configured to request a security status assessment result from the first network server.
  • the first network (network 1) server of this embodiment may include: a security state evaluation result providing unit 1002, configured to provide a self-preserved security state assessment to the second network server according to the request of the second network server. result.
  • the embodiment of the present invention obtains the security state evaluation result of the terminal by using the home network of the terminal or the visited network before roaming, improves the utilization efficiency and security of the network, and reduces the visited network load.
  • Embodiment 4 obtains the security state evaluation result of the terminal by using the home network of the terminal or the visited network before roaming, improves the utilization efficiency and security of the network, and reduces the visited network load.
  • a request for accessing a network as a communication request is taken as an example.
  • Another embodiment of the present invention provides an access control method for a terminal to access a network, which may be pre-established between the network 1 and the network 2 when the network is deployed. Relationship and maintain a secure channel, or temporarily establish a secure channel, and store the integrity metric information of the terminal and the security status evaluation result of the terminal in the network 1. With this secure channel, the integrity metrics of the terminal and the security status assessment results can be shared between Network 1 and Network 2. This can reduce the repeated transmission of integrity metric information in the network, thereby reducing security risks, reducing handover delay, and avoiding degradation of service quality of real-time services.
  • the terminal integrity metric information exchanged between the network 1 and the network 2 can identify the identity through the terminal user's IMSI, URL, and the like. Referring to Figure 11, the method includes:
  • Stepl Step 6: similar to the case of the previous embodiment
  • Step 7 After the terminal roams to the network 2, initiates an access request to the network 2, where the request includes the identifier of the network 1, or the identifier of the network 1 may be sent independently of the access request;
  • Step 8 The current network 2 completes the identity authentication of the terminal through the network 1;
  • Step 9 Through the identifier of the network 1, the current network 2 requests the original network 1 for the integrity metric information and/or the security status assessment result of the terminal it saves through a pre-established or temporarily established secure channel; Step 10. The original network 1 responds to the request of the network 2, and provides the terminal integrity metric information and/or the security status assessment result;
  • Step 11 The current network 2 selects whether to perform security status assessment according to the security level requirements of the access terminal. If the security level of the terminal is not high, it can directly respond to the evaluation result of the original network 1; if the security level requires If the network 2 is high, the network 2 can perform security state assessment on the terminal according to the integrity metric information, and obtain a security state evaluation result;
  • Step 12 The current network 2 makes an access response to the terminal requesting access based on the security status assessment result.
  • the network 1 can be either a visited network or a home network.
  • a terminal roams between multiple networks, one way is to save its own integrity metric information or security state evaluation result in the server of the home network, so that when the terminal roams and accesses different visited networks, These visited networks only need to request their corresponding integrity metric information or security status assessment results from the home network where the terminal is located.
  • the visited network where the terminal is currently located stores the integrity metric information of the terminal and the current security status assessment result.
  • the new visited network only needs to access the integrity metric information or the security status assessment result corresponding to the network requesting terminal, and does not need to obtain this information from the home network of the terminal.
  • the embodiment of the present invention obtains the security state evaluation result of the terminal by using the home network of the terminal or the visited network before roaming, improves the utilization efficiency and security of the information and the network, and reduces the load on the visited network.
  • Embodiment 5
  • another embodiment of the present invention provides a terminal access control method. After a terminal initiates a communication request to the network 2, the network 1 sends a security status evaluation result of the terminal to the network 2, and the network 2 according to the terminal The communication request responds.
  • the method includes:
  • Stepl The terminal initiates a communication request to the network 2;
  • Step 2 The network 2 or the terminal requests the network 1 to perform security state evaluation on the terminal; Step 3.
  • the network 1 obtains the integrity metric information from the terminal, and performs security state evaluation on the terminal.
  • Step4. Network 1 sends the evaluation result to the network 2;
  • Step 5 The network 2 responds to the communication request of the terminal with reference to the result of the security status evaluation.
  • This embodiment may further include before or after Step 2:
  • the network 2 completes the identity authentication of the terminal through the network 1 of the terminal.
  • the network 2 initiates a request to the network 1 to request a security state assessment for the terminal.
  • the terminal requests the network 1 to perform a security state assessment, which includes the identifier of the network 2.
  • the security status assessment result is provided to the network 2.
  • the second network (network 2) server of this embodiment may include: a communication request receiving unit 1302, configured to receive a communication request from the terminal; and a security status evaluation result requesting unit 1304, configured to request attribution of the terminal The network or the visited network before roaming performs a security status assessment on the terminal;
  • the security status assessment result receiving unit 1306 is configured to receive a security status assessment result from the home network or the visited network to the terminal.
  • the second network (network 2) server may further include:
  • the response unit 1308 is configured to respond to the communication request of the terminal according to the security status assessment result obtained by the security status evaluation result receiving unit 1306.
  • the first network (network 1) server of this embodiment may include: a security state evaluation result providing unit 1402, configured to send to the second network server according to the security state evaluation request from the terminal or from the second network server. Provide self-preserved security status assessment results.
  • the network system of this embodiment includes:
  • the second server 1504 is configured to receive a communication request from the terminal; request the first network to perform security state evaluation on the terminal; and receive from the first Server-to-terminal security Stateful evaluation results;
  • the first server 1502 is configured to receive a security state assessment request from the second server or from the terminal, and according to the request, evaluate the security state according to the integrity metric information received from the terminal, to obtain a security state assessment result, and The evaluation result is provided to the second server.
  • the second server 1504 is further configured to respond to the communication request of the terminal according to the security status assessment result.
  • the embodiment of the present invention obtains the security state evaluation result of the terminal by using the home network of the terminal or the visited network before roaming, improves the utilization efficiency and security of the network, and reduces the visited network load.
  • Embodiment 6
  • another embodiment of the present invention provides a terminal access control method. After a terminal initiates a communication request to the network 2, the network 1 collects the integrity metric information of the terminal, and sends the information to the network 2, and the network 2 utilizes these The integrity metric information is used to evaluate the security status of the terminal, and responds according to the evaluation result.
  • the method includes:
  • Stepl The terminal initiates a communication request to the network 2;
  • Step 2 The network 2 or the terminal requests the network 1 to collect the integrity metric information of the terminal; Step 3.
  • the network 1 collects the integrity metric information of the terminal;
  • Step 4 The network 1 sends the collected integrity metric information of the terminal to the network 2;
  • Step 5 The network 2 uses the integrity metric information of the terminal to perform security state evaluation on the terminal;
  • Step 6 The network 2 responds to the communication request of the terminal according to the security status evaluation result.
  • This embodiment may further include before or after Step 2: The network 2 completes the identity authentication of the terminal through the network 1 of the terminal.
  • the network 2 initiates a request to the network 1 to request the integrity metric information of the collection terminal. Can also be at the end After the terminal initiates an access request to the network 2, the terminal requests the network 1 to collect the integrity metric information. It contains the identity of Network 2. This is sent to the network 2 after the network 1 completes the information collection.
  • the second network (network 2) server of this embodiment may include: a communication request receiving unit 1702, configured to receive a communication request from the terminal; and an integrity metric information requesting unit 1704, configured to request attribution of the terminal The network or the visited network before roaming collects the integrity metric information of the terminal;
  • the integrity metric information receiving unit 1706 is configured to receive integrity metric information from the terminal collected by the home network or the visited network;
  • the security status evaluation unit 1708 is configured to perform security status assessment on the terminal according to the integrity metric information acquired by the integrity metric information receiving unit 1706, to obtain a security status assessment result.
  • the second network (network 2) server may further include:
  • the response unit 1710 is configured to respond to the communication request of the terminal according to the security status evaluation result obtained by the security status evaluation unit 1708.
  • the first network (network 1) server of this embodiment may include: an integrity metric information providing unit 1802, configured to provide the collected integrity metric information to the second network server according to the request of the second network server.
  • this embodiment further provides a network system, including:
  • the second server 1904 is configured to receive a communication request from the terminal; request the integrity metric information of the first network collection terminal; and receive the first server from the first server The integrity metric information of the collected terminal; the security state assessment of the terminal according to the integrity metric information, and the security state evaluation result is obtained;
  • the first server 1902 is configured to receive an integrity metric information request from the second server or the terminal, and collect the integrity metric information of the terminal according to the request, and provide the integrity metric information to the second server. Further, the second server is further configured to respond to the communication request of the terminal according to the security status assessment result.
  • the embodiment of the invention obtains the integrity metric information of the terminal by using the home network of the terminal or the visited network before roaming, improves the utilization efficiency and security of the information and the network, and reduces the load on the visited network.
  • Example 7
  • another embodiment of the present invention provides a terminal access control method, in which a terminal requests a network 1 to obtain a credential (eg, a certificate, token, etc.) that can identify its security status. After the terminal initiates a communication request to the network 2, the network 2 verifies the voucher and responds to the communication request based on the verification result.
  • a credential eg, a certificate, token, etc.
  • the method includes:
  • Stepl The terminal obtains a credential from the network 1, such as a certificate, a token, etc.;
  • Step 2 The terminal initiates a communication request to the network 2, where the certificate is carried;
  • Step3 After completing the identity authentication of the terminal, the network 2 verifies the validity of the certificate;
  • Step 4 The network 2 responds to the communication request of the terminal according to the verification result.
  • the communication request may be a request for the terminal to initiate an access network to the network 2; or the terminal may initiate a request for a certain service to a service providing server (for example, in the network 2).
  • the second network (network 2) server of this embodiment may include: a communication request receiving unit 2102, configured to receive a communication request from the terminal; and a voucher information receiving unit 2104, configured to receive voucher information from the terminal;
  • the credential information verification unit 2106 is configured to verify the validity of the credential information, and obtain a security status evaluation result for the terminal.
  • the second network (network 2) server may further include:
  • the response unit 2108 is configured to respond to the communication request of the terminal according to the security status assessment result obtained by the credential information verification unit 2106.
  • the first network (network 1) server of this embodiment may include:
  • the credential providing unit 2202 is configured to provide the credential information identifying the security to the terminal.
  • this embodiment further provides a network system, including:
  • the first server 2302 is configured to provide credential information to the terminal;
  • the second server 2304 is configured to receive the communication request and the credential information from the terminal, verify the validity of the credential information, and obtain a security status evaluation result for the terminal.
  • the communication request responds.
  • another embodiment of the present invention provides a terminal access control method, which is applied to a system including a first security domain and a second security domain, and includes the following steps:
  • Stepl When the terminal requests access to the RSD (Relying Security Domain), it will initiate an access request to the RSD;
  • Step 2 The RSD obtains the SPI (Security Posture Information) of the terminal; the SPI may be the terminal integrity metric information, and the security status evaluation node may be obtained from an ASD (Asserting Security Domain) or may be Obtained from the terminal.
  • SPI Security Posture Information
  • ASD Access Security Domain
  • Step 3 The RSD responds to the terminal according to the security status information of the terminal.
  • the RSD may allow the terminal to access according to the security status information, or may reject the terminal access according to the security status information, or allow the terminal part to access according to the security status information.
  • the embodiment of the present invention obtains the security state evaluation result of the terminal by using the home network of the terminal or the visited network before roaming, improves the utilization efficiency and security of the information and the network, and reduces the load on the visited network.
  • the embodiment of the present invention can fully utilize the home network of the terminal or the visited network before roaming to obtain the security state evaluation result or the integrity metric information of the terminal, improve the utilization efficiency and security of the information and the network, and reduce the network load. , to resolve delays caused by the collection of integrity metrics information and unnecessary security status assessments Interrupted the problem.
  • Non-volatile storage medium which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.
  • a computer device may It is a personal computer, a server, or a network device, etc. that performs the methods described in various embodiments of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Description

一种终端接入控制方法、 网络设备及系统 本申请要求于 2008 年 2 月 29 日提交中国专利局, 申请号为 200810065495.0, 发明名称为"一种终端接入的安全状态评估方法、 网络设备及系统"的中国专利申请, 以及于 2008年 5月 28 日提交中 国专利局, 申请号为 200810098771.3 , 发明名称为"一种终端安全状 态评估方法、 网络设备及系统"的中国专利申请的优先权, 其全部内 容通过引用结合在本申请中。 技术领域
本发明实施例涉及通信技术领域,特别涉及一种终端接入控制方 法、 网络设备及系统。 背景技术
随着 Internet的飞速发展和普遍应用, 病毒技术也迅速发展。 当 病毒大规模爆发时,网络中传输的大量数据流量是由病毒产生的垃圾 数据和探测、 攻击流量, 造成资源浪费, 严重影响了运营商的网络效 率和安全, 也对用户的终端和业务产生不利的影响和安全威胁。 用户 在获得更多样化的服务的同时,对自身和网络带来的安全风险也大大 增力口。
来自运营商网络的内部的安全威胁容易管理和得到保障,而相应 的用户终端的病毒侵入却更容易, 而且用户分布范围广泛, 小的终端 因为资源有限导致防护能力较低下,也无法保证客户端都装有杀毒软 件或防火墙。 即使都安装安全应用软件客户端, 由于没有统一控制, 用户很可能不能及时进行安全更新,造成系统漏洞或病毒库的过期等 安全隐患。
同时, 随着移动技术的发展以及移动终端的普及, 越来越多的用 户希望在移动的过程中可以随时接入网络享受各种各样的服务。 因 此 ,不仅要针对固定的终端或者固定的用户进行安全防护以及安全评 估, 更为重要的是实现对移动的终端进行无缝的安全状态评估。 在实现本发明的过程中, 发明人发现现有技术至少存在以下问 题:
现有技术中对终端完整性度量信息的收集和安全状态评估在 拜访网络中进行, 并不能充分利用终端的归属网络或漫游之前的 拜访网络的资源, 及其归属网络或漫游之前的拜访网络已得到的 完整性度量信息或得到安全状态评估结果, 造成拜访网络负载过 大和资源浪费。
发明内容
本发明实施例提供一种终端接入控制方法,应用于第一安全域和 第二安全域, 该方法包括:
接收第一安全域终端的接入请求;
获取所述终端的安全状态信息;
根据所述终端的安全状态信息对所述终端的接入请求做出响应。 本发明实施例提供一种终端接入控制方法,应用于第一安全域和 第二安全域, 该方法包括:
所述第二安全域接收来自所述终端的接入请求;
所述第二安全域获取来自第一安全域的安全策略,根据所述安全 策略获取来自所述终端的对应的完整性度量信息,根据所述完整性度 量信息对终端进行安全状态评估得到安全状态评估结果; 或者, 所述第二安全域向第一安全域发送安全策略,所述第一安全域根 据所述安全策略获取来自所述终端的对应的完整性度量信息,根据所 述完整性度量信息对终端进行安全状态评估得到安全状态评估结果, 将所述安全状态评估结果提供给第二安全域。
本发明实施例还提供一种终端接入控制方法,第一安全域存储对 该终端的安全状态评估结果和完整性度量信息, 当该终端访问第二安 全域时, 所述方法包括: 所述第二安全域接收来自所述终端的接入请 求和包括第一安全域标识的信息;第二安全域根据所述第一安全域标 识, 向第一安全域发起所述终端的安全状态评估结果和 /或完整性度 量信息请求,通过与第一安全域的之间预先建立或临时建立的安全通 性度量信息。
本发明实施例还提供一种网络系统, 包括: 第一安全域的第一服 务器和第二安全域的第二服务器, 其中:
所述第二服务器, 用于接收来自所述终端的接入请求; 向所述第 一安全域请求安全策略, 获取来自所述第一服务器的安全策略, 根据 所述安全策略获取来自所述终端的对应的完整性度量信息,根据所述 完整性度量信息对所述终端进行安全状态评估,得到安全状态评估结 果;
所述第一服务器, 用于向第二服务器发送安全策略。
本发明实施例还提供一种网络系统, 包括: 第一安全域的第一服 务器和第二安全域第二服务器, 其中:
所述第二服务器, 用于接收来自所述终端的接入请求; 请求所述 第一安全域对所述终端进行安全状态评估,向第一服务器发送安全策 略; 接收来自第一服务器的对终端的安全状态评估结果;
所述第一服务器, 用于获取来自第二服务器的安全策略, 根据所 述安全策略获取来自所述终端的对应的完整性度量信息,根据所述完 整性度量信息对终端进行安全状态评估得到安全状态评估结果,将评 估结果反馈给第二服务器。
本发明实施例还提供一种网络设备, 包括:
接入请求接收单元, 用于接收来自终端的接入请求;
安全策略获取单元,用于根据所述接入请求向所述终端的第一安 全域请求安全策略, 获取所述安全策略;
安全状态评估单元,用于根据所述安全策略获取单元获取到的安 全策略, 获取来自所述终端的完整性度量信息, 根据所述完整性度量 信息对所述终端进行安全状态评估, 得到安全状态评估结果。 本发明实施例还提供一种网络设备, 包括:
接入请求接收单元, 用于接收来自终端的接入请求;
安全评估请求单元,用于请求该终端的第一安全域对所述终端进 行安全状态评估, 向所述第一安全域发送安全策略;
安全状态评估结果接收单元,用于接收来自所述第一安全域对终 端的安全状态评估结果。 本发明实施例还提供一种终端接入控制方法, 包括:
第二安全域接收来自终端的通信请求;
第二安全域或所述终端请求第一安全域对所述终端进行安全状 态评估;
第二安全域接收来自所述第一安全域的对所述终端的安全状态 评估结果,该安全状态评估结果是由所述第一安全域按照所述第二安 全域或所述终端的请求,根据接收来自终端的完整性度量信息评估得 到。
本发明实施例还提供一种网络设备, 包括:
通信请求接收单元, 用于接收来自终端的通信请求;
安全状态评估结果请求单元,用于请求该终端的第一安全域对所 述终端进行安全状态评估;
安全状态评估结果接收单元,用于接收来自所述第一安全域对终 端的安全状态评估结果。
本发明实施例还提供一种网络系统, 包括: 第一安全域的第一服 务器和第二安全域第二服务器, 其中:
所述第二服务器, 用于接收来自所述终端的通信请求; 请求所述 第一安全域对所述终端进行安全状态评估;接收来自第一服务器的对 终端的安全状态评估结果;
所述第一服务器,用于接收来自第二服务器或来自终端的安全状 态评估请求, 按照所述请求, 根据接收来自终端的完整性度量信息对 安全状态进行评估, 得到安全状态评估结果, 将该评估结果提供给第 二服务器。
本发明实施例还提供一种终端接入控制方法, 包括:
第二安全域接收来自终端的通信请求;
第二安全域或所述终端请求第一安全域收集所述终端的完整性 度量信息;
第二安全域接收来自第一安全域的所述终端完整性度量信息,所 述终端完整性度量信息是由第一安全域根据第二安全域或所述终端 的请求向所述终端收集得到;
第二安全域根据所述完整性度量信息对所述终端进行安全状态 评估, 得到安全状态评估结果。
本发明实施例还提供一种网络设备, 包括:
通信请求接收单元, 用于接收来自终端的通信请求;
完整性度量信息请求单元,用于请求该终端的第一安全域对所述 终端的完整性度量信息进行收集;
完整性度量信息接收单元,用于接收来自第一安全域收集的终端 的完整性度量信息;
安全状态评估单元,用于根据所述完整性度量信息接收单元获取 到的完整性度量信息, 对终端进行安全状态评估, 得到安全状态评估 结果。
本发明实施例还一种网络系统, 包括: 第一安全域的第一服务器 和第二安全域第二服务器, 其中:
所述第二服务器, 用于接收来自所述终端的通信请求; 请求所述 第一安全域收集所述终端的完整性度量信息;接收来自第一服务器收 集到的终端的完整性度量信息;根据所述完整性度量信息对所述终端 进行安全状态评估, 得到安全状态评估结果;
所述第一服务器,用于接收来自第二服务器或所述终端的完整性 度量信息请求, 根据所述请求收集终端的完整性度量信息, 将该完整 性度量信息提供给第二服务器。
本发明实施例还提供一种终端接入控制方法,终端从第一安全域 获取凭证信息, 该方法包括:
第二安全域接收来自终端的通信请求以及所述凭证信息; 第二安全域验证所述凭证信息的有效性 ,得到对所述终端的安全 状态评估结果。
本发明实施例还提供一种网络设备, 包括:
通信请求接收单元, 用于接收来自终端的通信请求;
凭证信息接收单元, 用于接收来自终端的凭证信息;
凭证信息验证单元, 用于验证所述凭证信息的有效性, 得到对所 述终端的接入请求的响应。
本发明实施例还提供一种网络系统, 包括: 第一安全域的第一服 务器和第二安全域第二服务器, 其中:
所述第一服务器, 用于向终端提供凭证信息;
所述第二服务器,用于接收来自所述终端的通信请求以及所述凭 证信息; 验证所述凭证信息的有效性, 得到对所述终端的接入请求的 响应。
与现有技术相比,本发明实施例充分利用终端的第一安全域得到 对该终端的安全状态信息, 提高了信息和网络的利用效率和安全性, 减轻了网络负载,解决因安全状态信息的收集以及不必要的安全状态 评估所造成的时延或者是业务中断问题。 附图说明
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面 将对实施例或现有技术描述中所需要使用的附图作筒单地介绍,显而 易见地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领域 普通技术人员来讲, 在不付出创造性劳动性的前提下, 还可以根据这 些附图获得其他的附图。
图 1为本发明实施例一的终端接入控制方法流程图;
图 2为本发明实施例一的第二网络服务器组成示意图; 图 3为本发明实施例一的第一网络服务器组成示意图; 图 4为本发明实施例一的系统组网示意图;
图 5为本发明实施例二的终端接入控制方法流程图;
图 6为本发明实施例二的第二网络服务器组成示意图; 图 7为本发明实施例一的第一网络服务器组成示意图; 图 8为本发明实施例三的终端接入控制方法流程图;
图 9为本发明实施例三的第二网络服务器组成示意图; 图 10为本发明实施例三的第一网络服务器组成示意图;
图 11为本发明实施例四的终端接入控制方法流程图;
图 12为本发明实施例五的终端接入控制方法流程图;
图 13为本发明实施例五的第二网络服务器组成示意图;
图 14为本发明实施例五的第一网络服务器组成示意图;
图 15为本发明实施例五的系统组网示意图;
图 16为本发明实施例六的终端接入控制方法流程图;
图 17为本发明实施例六的第二网络服务器组成示意图;
图 18为本发明实施例六的第一网络服务器组成示意图;
图 19为本发明实施例六的系统组网示意图;
图 20为本发明实施例七的终端接入控制方法流程图;
图 21为本发明实施例七的第二网络服务器组成示意图;
图 22为本发明实施例七的第一网络服务器组成示意图;
图 23为本发明实施例七的系统组网示意图;
图 24为本发明实施例八的终端接入控制方法流程图。 具体实施方式
为使本发明实施例的目的、技术方案和优点更加清楚, 下面将结 合本发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而 不是全部的实施例。基于本发明中的实施例, 本领域普通技术人员在 没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明 保护的范围。
在下面的各个实施例中, 第一网络(记为网络 1 )是指终端 (或 移动终端) 的归属网络 (或家乡网络)或者漫游之前所在的网络, 第二 网络(记为网络 2 )是指终端 (或移动终端) 的拜访网络(或外地网 络)或者漫游之后所在的网络, 或者是一个业务提供服务器, 或者其 他网络设备。 网络类型可以是移动网络、 固定网络、 移动固定移动融 合网络等, 可以是局域网、城域网、 广域网, 可以是接入网、核心网、 传输网, 可以是点对点网络(P2P )、客户机 /服务器架构的网络(C/S ) 等。
在下面的各个实施例中,所述完整性度量信息可以是反映终端安 全状态的信息, 如: 终端所在的操作系统版本、 补丁信息、 防火墙版 本、 杀毒软件版本、 浏览器版本等相关信息。
在下面的各个实施例中, 终端(或移动终端)可以是手机、 笔记 本电脑等终端, 或者可以是以移动地址(如移动 IP )方式接入网络的 其他类型终端, 等等。
在下面的各个实施例中, 通信请求可以是网络各个层的通信请 求, 包括: 物理层、 链路层的接入请求, 以及应用层的业务或服务请 求等。
实施例一
参见图 1 , 以通信请求为接入网络的请求为例子, 本发明实施例 提出一种终端(或移动终端)接入网络的接入控制方法, 由网络 2根 据网络 1的安全策略配置完成评估, 该方法包括:
Stepl. 终端向网络 2发起接入请求;
Step2. 网络 2通过终端的网络 1完成对终端的身份认证;
Step3. 网络 2向该终端的网络 1请求终端所对应的安全策略配置 信息; 安全策略可以是: 比如网络需要检查终端的操作系统版本是不 是最新的, 或者防病毒软件版本是不是最新的等;
Step4. 网络 1向网络 2提供该终端的安全策略配置信息;
Step5. 网络 2根据来自网络 1的安全策略向终端请求对应的完整 性度量信息;完整性度量信息可以是:比如终端的操作系统版本信息, 或者防病毒软件版本信息等;
Step6. 终端响应网络 2请求的完整性度量信息;
Step7. 网络 2请求其他的完整性度量信息;
Step8. 终端响应网络 2请求的其他完整性度量信息;
Step9. 网络 2根据终端上报的完整性度量信息对终端进行安全 状态评估, 得到安全状态评估结果;
SteplO.网络 2根据得到的安全状态评估结果,对终端的接入请求 作出响应, 安全状态评估通过则允许终端接入, 否则, 可以是拒绝接 入, 或者提示接入失败。
举个例子, 终端可以是手机, 网络 1的服务器可以是手机所在归 属网络的接入策略决策点 PDP1 , 网络 2的服务器可以是手机漫游后 想要接入的拜访网络的策略决策点 PDP2。 这时拜访网络将向该手机 所对应的归属网络的 PDP请求相应的安全策略配置信息。 在得到这 一响应之后,拜访网络将根据这一安全策略配置对手机进行完整性度 量信息的收集以及安全状态的评估。 评估通过, 则允许接入, 否则, 拒绝该手机接入当前拜访网络。
参照图 2, 本实施例的第二网络(网络 2 )服务器可以是包括: 接入请求接收单元 202, 用于接收来自终端的接入请求; 安全策略获取单元 204, 用于根据所述接入请求向所述终端的归 属网络或漫游之前的拜访网络请求安全策略, 获取安全策略;
安全状态评估单元 206, 用于根据所述安全策略获取单元 204获 取到的安全策略, 获取来自终端的完整性度量信息, 根据完整性度量 信息对该终端进行安全状态评估, 得到安全状态评估结果;
接入响应单元 208, 用于根据所述安全状态评估单元 206得到的 安全状态评估结果对所述终端的接入请求作出响应。安全状态评估通 过则允许终端接入, 否则, 拒绝接入。
参照图 3 , 本实施例的第一网络(网络 1 )服务器可以是包括: 安全策略提供单元 302, 用于根据第二网络服务器的安全策略请 求, 向第二网络服务器提供安全策略。
本实施例的系统组网图如图 4所示, 该系统可以包括: 网络 1的 第一服务器 402、 网络 2的第二服务器 404, 其中:
第二服务器 404, 用于接收来自所述终端的接入请求; 向第一网 络请求安全策略, 获取来自第一服务器的安全策略, 根据所述安全策 略获取来自所述终端的对应的完整性度量信息,根据所述完整性度量 信息对所述终端进行安全状态评估;
第一服务器 402, 用于向第二服务器发送安全策略。
本发明实施例利用终端的归属网络或漫游之前的拜访网络得到 对该终端的完整性度量信息, 提高了信息的利用效率和安全性, 减轻 拜访网络的负载。 实施例二
参见图 5, 以通信请求为接入网络的请求为例子, 本发明又一实 施例提出一种终端接入网络的接入控制方法,由于网络 2自身不配备 TNC架构, 需要请求该终端的网络 1进行评估, 由网络 1根据网络 2 的策略配置进行评估, 该方法包括:
Stepl.终端向网络 2发起接入请求;
Step2.网络 2通过终端的网络 1完成对终端的身份认证;
Step3.网络 2请求网络 1进行安全状态评估(在该请求中包含该 网络所对应的安全策略配置信息);
Step4.网络 1根据来自网络 2的安全策略向终端请求对应的完整 性度量信息;
Step5.终端响应网络 1请求的完整性度量信息;
Step6.网络 1请求其他的完整性度量信息;
Step7.终端上报其他的完整性度量信息;
Step8.网络 1根据来自网络 2的安全策略配置完成对终端的安全 状态评估;
Step9.网络 1将安全状态评估结果告知网络 2; 作出响应。 安全状态评估通过则允许终端接入, 否则, 可以是拒绝接 入或者提示接入失败。。
在此实施例中,当终端漫游后想要接入的拜访网络无法对该终端 进行安全状态评估, 但同时它还需要按照网络自身的安全状态配置, 检查终端的完整性度量信息, 最终对该终端的接入请求作出接入响 应。 这时, 拜访网络将向该终端所对应的归属网络的 PDP发送其自 身对应的安全策略配置信息, 同时请求终端对应的归属网络按照这一 策略配置来完成对终端的安全状态评估。终端所在的归属网络按照这 一策略配置,通过对终端进行完整性度量信息的收集完成安全评估之 后, 将评估结果反馈给拜访网络。 在得到这一评估结果之后, 拜访网 络将根据这一评估结果对请求接入的终端作出接入响应。
参照图 6, 本实施例的第二网络(网络 2 )服务器可以是包括: 接入请求接收单元 602, 用于接收来自终端的接入请求; 安全评估请求单元 604, 用于请求该终端的归属网络或漫游之前 的拜访网络对所述终端进行安全状态评估,向第一服务器发送安全策 略;
安全状态评估结果接收单元 606, 用于接收来自第一网络服务器 的对终端的安全状态评估结果;
接入响应单元 608 , 用于根据所述安全状态评估结果接收单元 606获取到的安全状态评估结果, 对所述终端的接入请求作出响应。
参照图 7, 本实施例的第一网络(网络 1 )服务器可以是包括: 安全策略接收单元 702, 用于接收来自第二网络服务器的安全策 略;
安全状态评估单元 704, 用于根据接收到的来自第二网络服务器 的安全策略向终端请求对应的完整性度量信息,根据该完整性度量信 息对终端进行安全状态评估, 得到安全状态评估结果。
本实施例的系统组网图同图 4所示, 该系统可以包括: 网络 1的 第一服务器、 网络 2的第二服务器, 其中: 第二服务器, 用于接收来自所述终端的接入请求; 请求第一网络 对所述终端进行安全状态评估, 向第一服务器发送安全策略; 接收来 自第一服务器的对终端的安全状态评估结果;
第一服务器, 用于与所述第一服务器进行协商, 获取来自第二服 务器的安全策略,根据所述安全策略获取来自所述终端的对应的完整 性度量信息, 根据所述完整性度量信息进行安全状态评估, 将评估结 果反馈给第二服务器。
本发明实施例利用终端的归属网络或漫游之前的拜访网络得到 对该终端的安全状态评估结果, 提高了网络的利用效率和安全性, 减 轻了拜访网络负载。 实施例三
参见图 8, 以通信请求为接入网络的请求为例子, 本发明又一实 施例提出一种终端接入网络的接入控制方法, 网络 1存储对该终端的 安全状态评估结果, 网络 2直接利用网络 1的安全状态评估结果, 当 网络 2对终端的安全级别要求较低,无需对终端进行安全状态评估的 时候, 只需要向网络 1请求其上一次的评估结果, 这一结果将作为该 终端接入的参考条件。
该方法包括:
Stepl.终端向网络 2发起接入请求;
Step2.网络 2通过终端的网络 1完成对终端的身份认证;
Step3.网络 2直接向网络 1请求其上次对终端的评估结果; Step4.网络 1将保存的安全状态评估结果发送给网络 2;
Step5.网络 2参考这一安全状态评估结果对终端作出接入响应。 在本实施例中, 终端请求接入的拜访网络的安全级别要求不高, 这时拜访网络不需要对终端的完整性度量信息进行——评估,只需要 通过终端所在的归属网络获得终端之前的评估结果,参考这一评估结 果就直接对终端的接入请求作出响应。
参照图 9, 本实施例的第二网络(网络 2 )服务器可以是包括: 接入请求接收单元 902, 用于接收来自终端的接入请求; 安全状态评估结果请求单元 904, 用于向第一网络服务器请求安 全状态评估结果。
参照图 10, 本实施例的第一网络(网络 1 )服务器可以是包括: 安全状态评估结果提供单元 1002, 用于根据第二网络服务器的请求, 向第二网络服务器提供自身保存的安全状态评估结果。
本发明实施例利用终端的归属网络或漫游之前的拜访网络得到 对该终端的安全状态评估结果, 提高了网络的利用效率和安全性, 减 轻了拜访网络负载。 实施例四
以通信请求为接入网络的请求为例子,本发明又一实施例提出一 种终端接入网络的接入控制方法, 可以是在网络部署的时候, 在网 络 1和网络 2之间预先建立信任关系并维护一条安全的通道,也可以 是临时建立安全通道,在网络 1中保存终端的完整性度量信息和对该 终端的安全状态评估结果。 利用这一安全通道, 网络 1和网络 2之间 可以共享终端的完整性度量信息以及安全状态评估结果。这样可以减 少完整性度量信息在网络中的重复传输, 从而降低了安全风险, 同时 减少切换时延, 避免实时业务的服务质量下降。
网络 1和网络 2之间交互的终端完整性度量信息,可以通过终端 用户的 IMSI、 URL等来标识身份。 参见图 11 , 该方法包括:
Stepl— Step 6: 跟前述实施例的情况类似;
Step 7. 当终端漫游到网络 2后, 向网络 2发起接入请求, 这时 请求中包含有网络 1的标识,或者可以是网络 1的标识独立于接入请 求进行发送;
Step 8. 当前网络 2通过网络 1完成对终端的身份认证;
Step 9.通过网络 1的标识, 当前网络 2通过预先建立或临时建立 的安全通道向原来网络 1请求它所保存的终端的完整性度量信息和 / 或者安全状态评估结果; Step 10.原来的网络 1对网络 2的请求作出响应, 提供终端的完 整性度量信息和 /或安全状态评估结果;
Step 11. 当前网络 2根据自己对接入终端的安全级别要求选择是 否进行安全状态评估; 若对终端的安全级别要求不高, 则可以直接参 考原先网络 1的评估结果作出响应; 若安全级别要求较高, 则网络 2 可以根据完整性度量信息对终端进行安全状态评估,得到安全状态评 估结果;
Step 12. 当前网络 2根据安全状态评估结果向请求接入的终端作 出接入响应。
在本实施例中, 网络 1既可以是拜访网络, 也可以是归属网络。 当终端在多个网络之间漫游时, 一种方式是, 将自身的完整性度量信 息或者安全状态评估结果保存在归属网络的服务器中, 这样, 在终端 漫游后接入不同的拜访网络时,这些拜访网络只需要向该终端所在的 归属网络请求其对应的完整性度量信息或者安全状态评估结果。另一 种方式是,终端当前所在的拜访网络保存该终端的完整性度量信息以 及本次的安全状态评估结果。 当终端漫游到下一个网络时, 新的拜访 网络只需要向前一个拜访网络请求终端对应的完整性度量信息或者 安全状态评估结果, 无需再向终端的归属网络获得这一信息。
本发明实施例利用终端的归属网络或漫游之前的拜访网络得到 对该终端的安全状态评估结果,提高了信息和网络的利用效率和安全 性, 减轻了拜访网络负载。 实施例五
参见图 12, 本发明又一实施例提出一种终端接入控制方法, 终 端向网络 2发起通信请求后, 网络 1将对终端的安全状态评估结果发 送给网络 2, 网络 2据此对终端的通信请求作出响应。
该方法包括:
Stepl.终端向网络 2发起通信请求;
Step2.网络 2或终端请求网络 1 对所述终端进行安全状态评估; Step3.网络 1从终端获取完整性度量信息, 对终端进行安全状态 评估;
Step4.网络 1把评估结果发送给网络 2;
Step5.网络 2参考这一安全状态评估结果对终端的通信请求作出 响应。
本实施例还可以在 Step2之前或之后进一步包括: 网络 2通过终 端的网络 1完成对终端的身份认证。 在本实施例中, 可以是终端向网 络 2发起通信请求后, 网络 2向网络 1发起请求, 请求其对终端进行 安全状态评估。 也可以是在终端向网络 2发起通信请求后, 终端请求 网络 1对其进行安全状态评估, 其中包含网络 2的标识。 在网络 1完 成安全状态评估之后, 将安全状态评估结果提供给网络 2。
参照图 13 , 本实施例的第二网络(网络 2 )服务器可以是包括: 通信请求接收单元 1302, 用于接收来自终端的通信请求; 安全状态评估结果请求单元 1304, 用于请求该终端的归属网络 或漫游之前的拜访网络对所述终端进行安全状态评估;
安全状态评估结果接收单元 1306, 用于接收来自所述归属网络 或拜访网络对终端的安全状态评估结果。
进一步地, 第二网络(网络 2 )服务器还可以包括:
响应单元 1308 , 用于根据所述安全状态评估结果接收单元 1306 获取到的安全状态评估结果, 对所述终端的通信请求作出响应。 参照图 14, 本实施例的第一网络(网络 1 )服务器可以是包括: 安全状态评估结果提供单元 1402, 用于根据来自终端或来自第 二网络服务器的安全状态评估请求,向第二网络服务器提供自身保存 的安全状态评估结果。
参照图 15 , 本实施例的网络系统包括:
第一网络的第一服务器 1502和第二网络第二服务器 1504 ,其中: 第二服务器 1504, 用于接收来自终端的通信请求; 请求第一网 络对所述终端进行安全状态评估;接收来自第一服务器的对终端的安 全状态评估结果;
所述第一服务器 1502, 用于接收来自第二服务器或来自终端的 安全状态评估请求, 按照所述请求, 根据接收来自终端的完整性度量 信息对安全状态进行评估, 得到安全状态评估结果, 将该评估结果提 供给第二服务器。
进一步地, 第二服务器 1504还可以用于根据所述安全状态评估 结果对所述终端的通信请求作出响应。
本发明实施例利用终端的归属网络或漫游之前的拜访网络得到 对该终端的安全状态评估结果, 提高了网络的利用效率和安全性, 减 轻了拜访网络负载。 实施例六
参见图 16, 本发明又一实施例提出一种终端接入控制方法, 终 端向网络 2发起通信请求后, 网络 1收集终端的完整性度量信息, 将 该信息发给网络 2, 网络 2利用这些完整性度量信息对终端进行安全 状态评估, ^据评估结果作出响应。
该方法包括:
Stepl.终端向网络 2发起通信请求;
Step2.网络 2或终端请求网络 1收集所述终端的完整性度量信息; Step3.网络 1收集终端的完整性度量信息;
Step4.网络 1将收集到的终端的完整性度量信息发送给网络 2; Step5.网络 2利用终端的完整性度量信息对终端进行安全状态评 估;
Step6.网络 2根据安全状态评估结果对终端的通信请求作出响 应。
本实施例还可以在 Step2之前或之后进一步包括: 网络 2通过终 端的网络 1完成对终端的身份认证。
在本实施例中, 可以是终端向网络 2发起通信请求后, 网络 2向 网络 1发起请求, 请求其收集终端的完整性度量信息。 也可以是在终 端向网络 2发起接入请求后,终端请求网络 1对其进行完整性度量信 息的收集。其中包含网络 2的标识。这样在网络 1完成信息收集之后, 发送给网络 2。
参照图 17, 本实施例的第二网络(网络 2 )服务器可以是包括: 通信请求接收单元 1702, 用于接收来自终端的通信请求; 完整性度量信息请求单元 1704, 用于请求该终端的归属网络或 漫游之前的拜访网络对所述终端的完整性度量信息进行收集;
完整性度量信息接收单元 1706, 用于接收来自所述归属网络或 拜访网络收集的终端的完整性度量信息;
安全状态评估单元 1708 , 用于根据所述完整性度量信息接收单 元 1706获取到的完整性度量信息, 对终端进行安全状态评估, 得到 安全状态评估结果。
进一步地, 第二网络(网络 2 )服务器还可以包括:
响应单元 1710, 用于根据所述安全状态评估单元 1708得到的安 全状态评估结果, 对所述终端的通信请求作出响应。 参照图 18, 本实施例的第一网络(网络 1 )服务器可以是包括: 完整性度量信息提供单元 1802, 用于根据第二网络服务器的请求, 向第二网络服务器提供收集的完整性度量信息。 参见图 19, 本实施例还提出一种网络系统, 包括:
第一网络的第一服务器 1902和第二网络第二服务器 1904 ,其中: 第二服务器 1904, 用于接收来自终端的通信请求; 请求第一网 络收集终端的完整性度量信息;接收来自第一服务器收集到的终端的 完整性度量信息; 根据完整性度量信息对终端进行安全状态评估, 得 到安全状态评估结果;
第一服务器 1902, 用于接收来自第二服务器或终端的完整性度 量信息请求, 根据所述请求收集终端的完整性度量信息, 将该完整性 度量信息提供给第二服务器。 进一步地,第二服务器还用于根据所述安全状态评估结果对所述 终端的通信请求作出响应。
本发明实施例利用终端的归属网络或漫游之前的拜访网络得到 对该终端的完整性度量信息, 提高了信息和网络的利用效率和安全 性, 减轻了拜访网络负载。 实施例七
参见图 20, 本发明又一实施例提出一种终端接入控制方法, 终端向 网络 1请求获得一个可以标识其安全状态的凭证(例如,证书、 token 等)。 终端向网络 2发起通信请求后, 网络 2验证该凭证, 根据验证 结果对通信请求作出响应。
该方法包括:
Stepl.终端从网络 1获取一个凭证, 如证书、 token等;
Step2.终端向网络 2发起通信请求, 其中携带该凭证;
Step3.网络 2完成对终端的身份认证后, 验证该凭证的有效性;
Step4.网络 2根据验证结果对终端的通信请求作出响应。
在本实施例中,通信请求可以是终端向网络 2发起接入网络的请 求; 也可以是终端向某一业务提供服务器(如, 网络 2中的)发起针 对某种业务的请求。
参照图 21 , 本实施例的第二网络(网络 2 )服务器可以是包括: 通信请求接收单元 2102, 用于接收来自终端的通信请求; 凭证信息接收单元 2104, 用于接收来自终端的凭证信息; 凭证信息验证单元 2106, 用于验证所述凭证信息的有效性, 得 到对所述终端的安全状态评估结果。
进一步地, 第二网络(网络 2 )服务器还可以包括:
响应单元 2108, 用于根据所述凭证信息验证单元 2106得到的安 全状态评估结果, 对所述终端的通信请求作出响应。 参照图 22, 本实施例的第一网络(网络 1 )服务器可以是包括: 凭证提供单元 2202, 用于向终端提供标识其安全的凭证信息。 参见图 23 , 本实施例还提出一种网络系统, 包括:
第一网络的第一服务器 2302和第二网络第二服务器 2304,其中: 第一服务器 2302, 用于向终端提供凭证信息;
第二服务器 2304, 用于接收来自终端的通信请求以及凭证信息; 验证凭证信息的有效性, 得到对终端的安全状态评估结果。 的通信请求作出响应。
参见图 24, 本发明又一实施例提出一种终端接入控制方法, 应 用于包括第一安全域和第二安全域的系统中, 包括以下步骤:
Stepl. 当终端请求接入 RSD ( Relying Security Domain, 依赖安 全域) 时, 就会向 RSD发起接入请求;
Step2. RSD获取所述终端的 SPI ( Security Posture Information, 安全状态信息); SPI 可以是终端完整性度量信息、 安全状态评估结 可以是从 ASD ( Asserting Security Domain, 断言安全域 )获取, 也可 以是从终端获取。
Step3. RSD 根据所述终端的安全状态信息对所述终端做出响 应。 RSD 可以根据所述安全状态信息允许所述终端接入, 也可以根 据所述安全状态信息拒绝所述终端接入,也可以根据所述安全状态信 息允许所述终端部分接入。
本发明实施例利用终端的归属网络或漫游之前的拜访网络得到 对该终端的安全状态评估结果,提高了信息和网络的利用效率和安全 性, 减轻了拜访网络负载。
通过本发明实施例,可以充分利用终端的归属网络或漫游之前的 拜访网络得到对该终端的安全状态评估结果或完整性度量信息,提高 了信息和网络的利用效率和安全性, 减轻了网络负载, 解决因完整性 度量信息的收集以及不必要的安全状态评估所造成的时延或者是业 务中断问题。 通过以上的实施方式的描述,本领域的技术人员可以清楚地了解 到本发明可以通过硬件实现,也可以可借助软件加必要的通用硬件平 台的方式来实现基于这样的理解,本发明的技术方案可以以软件产品 的形式体现出来, 该软件产品可以存储在一个非易失性存储介质(可 以是 CD-ROM, U盘, 移动硬盘等) 中, 包括若干指令用以使得一 台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行 本发明各个实施例所述的方法。
总之, 以上所述仅为本发明的较佳实施例而已, 并非用于限定本 发明的保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。

Claims

权利要求
1、 一种终端接入控制方法, 其特征在于, 所述方法包括: 接收第一安全域终端的接入请求;
获取所述终端的安全状态信息;
根据所述终端的安全状态信息对所述终端的接入请求做出响应。
2、 如权利要求 1所述的方法, 其特征在于, 所述根据所述接入 请求获取所述终端的安全状态信息包括:
根据所述接入请求获取所述终端完整性度量信息; 或
根据所述接入请求获取安全状态评估结果; 或
根据所述接入请求获取与所述终端安全相关的元数据信息。 3如权利要求 1所述的方法, 其特征在于, 所述根据所述接入请 求获取所述终端的安全状态信息包括:
从所述第一安全域获取所述终端的安全状态信息; 或
从所述终端获取所述终端的安全状态信息。
4、 如权利要求 1所述的方法, 其特征在于, 所述根据所述终端 的安全状态信息对所述终端的接入请求做出响应包括:
根据所述安全状态信息允许所述终端接入; 或
根据所述安全状态信息拒绝所述终端接入; 或
根据所述安全状态信息允许所述终端部分接入。
5、 一种终端接入控制方法, 其特征在于, 所述方法包括: 第二安全域接收来自终端的接入请求;
所述第二安全域获取来自第一安全域的安全策略,根据所述安全 策略获取来自所述终端的对应的完整性度量信息,根据所述完整性度 量信息对终端进行安全状态评估得到安全状态评估结果; 或者, 所述第二安全域向第一安全域发送安全策略,所述第二安全域根 据所述安全策略获取来自所述终端的对应的完整性度量信息,根据所 述完整性度量信息对终端进行安全状态评估得到安全状态评估结果, 将所述安全状态评估结果提供给第二安全域。 6、 如权利要求 5所述的方法, 其特征在于, 所述第二网络获取 来自第一安全域的安全策略的步骤之前还包括:
第二网络向第一安全域请求安全策略,第一安全域根据所述请求 向第二安全域提供所述安全策略。
7、 如权利要求 5所述的方法, 其特征在于, 所述第二安全域向 第一安全域发送安全策略的步骤包括:
第二安全域请求第一安全域对所述终端进行安全状态评估,向第 一安全域发送安全策略。
8、 如权利要求 5至 7中任一项的所述方法, 其特征在于, 该方 法还包括: 响应。
9、 一种终端接入控制方法, 其特征在于, 第一安全域存储对该 终端的安全状态评估结果和完整性度量信息, 当该终端拜访第二安全 域时, 所述方法包括:
所述第二安全域接收来自所述终端的接入请求和包括第一安全 域标识的信息;
第二安全域根据所述第一安全域标识,向第一安全域发起所述终 端的安全状态评估结果和 /或完整性度量信息请求, 通过与第一安全 域的之间预先建立或临时建立的安全通道获取第一安全域保存的对 所述终端的安全状态评估结果和 /或完整性度量信息。
10、 如权利要求 9所述的方法, 其特征在于, 所述第二安全域向 第一安全域发起的安全状态评估结果和 /或完整性度量信息请求中携 带终端用户标识。
11、 一种网络系统, 其特征在于, 包括: 第一安全域的第一服务 器和第二安全域的第二服务器, 其中:
所述第二服务器, 用于接收来自所述终端的接入请求; 向所述第 一安全域请求安全策略, 获取来自所述第一服务器的安全策略, 根据 所述安全策略获取来自所述终端的对应的完整性度量信息,根据所述 完整性度量信息对所述终端进行安全状态评估,得到安全状态评估结 果;
所述第一服务器, 用于向第二服务器发送安全策略。
12、 如权利要求 11所述的系统, 其特征在于, 所述第二服务器 包括:
接入请求接收单元, 用于接收来自所述终端的接入请求; 安全策略获取单元,用于根据所述接入请求向第一服务器请求安 全策略, 获取来自第一服务器的安全策略;
安全状态评估单元,用于根据所述安全策略获取单元获取到的安 全策略, 获取来自所述终端的完整性度量信息, 根据所述完整性度量 信息对终端进行安全状态评估, 得到安全状态评估结果。
13、 一种网络系统, 其特征在于, 包括: 第一安全域的第一服务 器和第二安全域第二服务器, 其中:
所述第二服务器, 用于接收来自所述终端的接入请求; 请求所述 第一安全域对所述终端进行安全状态评估,向第一服务器发送安全策 略; 接收来自第一服务器的对终端的安全状态评估结果;
所述第一服务器, 用于获取来自第二服务器的安全策略, 根据所 述安全策略获取来自所述终端的对应的完整性度量信息,根据所述完 整性度量信息对终端进行安全状态评估得到安全状态评估结果,将评 估结果反馈给第二服务器。
14、 如权利要求 13所述的系统, 其特征在于, 所述第二服务器 包括:
接入请求接收单元, 用于接收来自所述终端的接入请求; 安全评估请求单元,用于请求第一服务器对所述终端进行安全状 态评估, 向第一服务器发送安全策略;
安全状态评估结果接收单元,用于接收来自第一服务器对所述终 端的安全状态评估结果。
15、 一种网络设备, 其特征在于, 包括:
接入请求接收单元, 用于接收来自终端的接入请求; 安全策略获取单元,用于根据所述接入请求向所述终端的归属网 络或漫游之前的拜访网络请求安全策略, 获取所述安全策略;
安全状态评估单元,用于根据所述安全策略获取单元获取到的安 全策略, 获取来自所述终端的完整性度量信息, 根据所述完整性度量 信息对所述终端进行安全状态评估, 得到安全状态评估结果。
16、 如权利要求 15所述的设备, 其特征在于, 进一步包括: 接入响应单元,用于根据所述安全状态评估单元得到的安全状态 评估结果对所述终端的接入请求作出响应。
17、 一种网络设备, 其特征在于, 包括:
接入请求接收单元, 用于接收来自终端的接入请求;
安全评估请求单元,用于请求该终端的归属网络或漫游之前的拜 访网络对所述终端进行安全状态评估,向所述归属网络或拜访网络发 送安全策略;
安全状态评估结果接收单元,用于接收来自所述归属网络或拜访 网络对终端的安全状态评估结果。
18、 如权利要求 17所述的设备, 其特征在于, 进一步包括: 接入响应单元,用于根据所述安全状态评估结果接收单元获取到 的安全状态评估结果, 对所述终端的接入请求作出响应。
19、 一种终端接入控制方法, 其特征在于, 包括:
第二安全域接收来自终端的通信请求;
第二安全域或所述终端请求第一安全域对所述终端进行安全状 态评估;
第二安全域接收来自所述第一安全域的对所述终端的安全状态 评估结果,该安全状态评估结果是由所述第一安全域按照所述第二安 全域或所述终端的请求,根据接收来自终端的完整性度量信息评估得 到。
20、 如权利要求 19所述的方法, 其特征在于, 在第二安全域接 前还包括: 第二安全域通过第一安全域对所述终端进行身份认证。
21、 如权利要求 19所述的方法, 其特征在于, 该方法还包括: 作出响应。
22、 一种网络设备, 其特征在于, 包括:
通信请求接收单元, 用于接收来自终端的通信请求;
安全状态评估结果请求单元,用于请求该终端的归属网络或漫游 之前的拜访网络对所述终端进行安全状态评估;
安全状态评估结果接收单元,用于接收来自所述归属网络或拜访 网络对终端的安全状态评估结果。
23、 如权利要求 22所述的设备, 其特征在于, 进一步包括: 响应单元,用于根据所述安全状态评估结果接收单元获取到的安 全状态评估结果, 对所述终端的通信请求作出响应。
24、 一种网络系统, 其特征在于, 包括: 第一安全域的第一服务 器和第二安全域第二服务器, 其中:
所述第二服务器, 用于接收来自所述终端的通信请求; 请求所述 第一安全域对所述终端进行安全状态评估;接收来自第一服务器的对 终端的安全状态评估结果;
所述第一服务器,用于接收来自第二服务器或来自终端的安全状 态评估请求, 按照所述请求, 根据接收来自终端的完整性度量信息对 安全状态进行评估, 得到安全状态评估结果, 将该评估结果提供给第 二服务器。
25、 如权利要求 24所述的网络系统, 其特征在于, 所述第二服 务器还用于根据所述安全状态评估结果对所述终端的通信请求作出 响应。
26、 一种终端接入控制方法, 其特征在于, 包括:
第二安全域接收来自终端的通信请求;
第二安全域或所述终端请求第一安全域收集所述终端的完整性 度量信息; 第二安全域接收来自第一安全域的所述终端完整性度量信息,所 述终端完整性度量信息是由第一安全域根据第二安全域或所述终端 的请求向所述终端收集得到;
第二安全域根据所述完整性度量信息对所述终端进行安全状态 评估, 得到安全状态评估结果。
27、 如权利要求 26所述的方法, 其特征在于, 在所述第二安全 域根据所述完整性度量信息对所述终端进行安全状态评估的步骤之 前还包括:
第二安全域通过第一安全域对所述终端进行身份认证。
28、 如权利要求 26所述的方法, 其特征在于, 该方法还包括: 作出响应。
29、 一种网络设备, 其特征在于, 包括:
通信请求接收单元, 用于接收来自终端的通信请求;
完整性度量信息请求单元,用于请求该终端的归属网络或漫游之 前的拜访网络对所述终端的完整性度量信息进行收集;
完整性度量信息接收单元,用于接收来自所述归属网络或拜访网 络收集的终端的完整性度量信息;
安全状态评估单元,用于根据所述完整性度量信息接收单元获取 到的完整性度量信息, 对终端进行安全状态评估, 得到安全状态评估 结果。
30、 如权利要求 29所述的设备, 其特征在于, 进一步包括: 响应单元,用于根据所述安全状态评估单元得到的安全状态评估 结果, 对所述终端的通信请求作出响应。
31、 一种网络系统, 其特征在于, 包括: 第一安全域的第一服务 器和第二安全域第二服务器, 其中:
所述第二服务器, 用于接收来自所述终端的通信请求; 请求所述 第一安全域收集所述终端的完整性度量信息;接收来自第一服务器收 集到的终端的完整性度量信息;根据所述完整性度量信息对所述终端 进行安全状态评估, 得到安全状态评估结果;
所述第一服务器,用于接收来自第二服务器或所述终端的完整性 度量信息请求, 根据所述请求收集终端的完整性度量信息, 将该完整 性度量信息提供给第二服务器。
32、 如权利要求 31所述的网络系统, 其特征在于, 所述第二服 务器还用于根据所述安全状态评估结果对所述终端的通信请求作出 响应。
33、 一种终端接入控制方法, 其特征在于, 终端从第一安全域获 取凭证信息, 该方法包括:
第二安全域接收来自终端的通信请求以及所述凭证信息; 第二安全域验证所述凭证信息的有效性 ,得到对所述终端的安全 状态评估结果。
34、 如权利要求 33所述的方法, 其特征在于, 在所述第二安全 域接收来自终端的通信请求以及所述凭证信息的步骤之前还包括: 第二安全域对所述终端进行身份认证。
35、 如权利要求 33所述的方法, 其特征在于, 该方法还包括: 作出响应。
36、 一种网络设备, 其特征在于, 包括:
通信请求接收单元, 用于接收来自终端的通信请求;
凭证信息接收单元, 用于接收来自终端的凭证信息;
凭证信息验证单元, 用于验证所述凭证信息的有效性, 得到对所 述终端的安全状态评估结果。
37、 如权利要求 36所述的设备, 其特征在于, 进一步包括: 响应单元,用于根据所述凭证信息验证单元得到的安全状态评估 结果, 对所述终端的通信请求作出响应。
38、 一种网络系统, 其特征在于, 包括: 第一安全域的第一服务 器和第二安全域第二服务器, 其中:
所述第一服务器, 用于向终端提供凭证信息; 所述第二服务器,用于接收来自所述终端的通信请求以及所述凭 证信息; 验证所述凭证信息的有效性, 得到对所述终端的安全状态评 估结果。
39、 如权利要求 38所述的网络系统, 其特征在于, 所述第二服 务器还用于根据所述安全状态评估结果对所述终端的通信请求作出 响应。
PCT/CN2009/070458 2008-02-29 2009-02-18 一种终端接入控制方法、网络设备及系统 WO2009109118A1 (zh)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN200810065495.0 2008-02-29
CN200810065495 2008-02-29
CN200810098771.3A CN101621380B (zh) 2008-02-29 2008-05-28 一种终端安全状态评估方法、网络设备及系统
CN200810098771.3 2008-05-28

Publications (1)

Publication Number Publication Date
WO2009109118A1 true WO2009109118A1 (zh) 2009-09-11

Family

ID=41055546

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/070458 WO2009109118A1 (zh) 2008-02-29 2009-02-18 一种终端接入控制方法、网络设备及系统

Country Status (2)

Country Link
CN (2) CN103260161B (zh)
WO (1) WO2009109118A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882923A (zh) * 2012-07-25 2013-01-16 北京亿赛通科技发展有限责任公司 移动终端安全存储系统及方法
CN103209414A (zh) * 2012-01-13 2013-07-17 腾讯科技(深圳)有限公司 一种控制网页访问的方法、装置及移动终端

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102215211B (zh) * 2010-04-02 2016-01-20 中兴通讯股份有限公司 通信方法、支持可信网络接入的安全策略协商方法及系统
CN103561035A (zh) * 2013-11-11 2014-02-05 中国联合网络通信集团有限公司 一种移动用户安全防护方法和系统
CN103856568B (zh) * 2014-03-25 2019-03-19 努比亚技术有限公司 一种可提示用户终端安全状态的终端、系统及实现方法
CN103970651A (zh) * 2014-04-18 2014-08-06 天津大学 基于组件安全属性的软件体系结构安全性评估方法
US11140168B2 (en) * 2015-07-22 2021-10-05 AVAST Software s.r.o. Content access validation system and method
CN108052367A (zh) * 2017-12-27 2018-05-18 深圳豪客互联网有限公司 一种应用程序的界面背景颜色设置方法及装置
CN111885191B (zh) * 2020-07-30 2021-08-17 西安电子科技大学 一种计算机网络通信系统
CN112073443B (zh) * 2020-11-12 2021-03-16 飞天诚信科技股份有限公司 一种基于浏览器访问认证设备的方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859401A (zh) * 2006-01-12 2006-11-08 华为技术有限公司 在移动终端与移动网络之间实现安全联动的方法
CN101018411A (zh) * 2007-02-16 2007-08-15 西安西电捷通无线网络通信有限公司 一种基于wapi的证书漫游认证方法
CN101094063A (zh) * 2006-07-19 2007-12-26 中兴通讯股份有限公司 一种游牧终端接入软交换网络系统的安全交互方法
CN101330401A (zh) * 2007-06-22 2008-12-24 华为技术有限公司 一种安全状态的评估方法、装置及系统

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7486952B1 (en) * 2000-02-09 2009-02-03 Alcatel-Lucent Usa Inc. Facilitated security for handoff in wireless communications
CN1214686C (zh) * 2002-08-29 2005-08-10 华为技术有限公司 一种漫游用户信息安全控制设备及漫游用户信息交互方法
CN100525184C (zh) * 2004-05-27 2009-08-05 华为技术有限公司 网络安全防护系统及方法
CN101022647B (zh) * 2006-02-15 2010-09-08 华为技术有限公司 切换处理过程中确定安全协商参数的实现方法及装置
US8346265B2 (en) * 2006-06-20 2013-01-01 Alcatel Lucent Secure communication network user mobility apparatus and methods
CN101123803B (zh) * 2006-08-11 2010-08-04 华为技术有限公司 一种关联反应系统中移动台状态变化时的处理方法
CN101521885B (zh) * 2008-02-26 2012-01-11 华为技术有限公司 一种权限控制方法、系统及设备

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859401A (zh) * 2006-01-12 2006-11-08 华为技术有限公司 在移动终端与移动网络之间实现安全联动的方法
CN101094063A (zh) * 2006-07-19 2007-12-26 中兴通讯股份有限公司 一种游牧终端接入软交换网络系统的安全交互方法
CN101018411A (zh) * 2007-02-16 2007-08-15 西安西电捷通无线网络通信有限公司 一种基于wapi的证书漫游认证方法
CN101330401A (zh) * 2007-06-22 2008-12-24 华为技术有限公司 一种安全状态的评估方法、装置及系统

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103209414A (zh) * 2012-01-13 2013-07-17 腾讯科技(深圳)有限公司 一种控制网页访问的方法、装置及移动终端
CN103209414B (zh) * 2012-01-13 2016-05-11 腾讯科技(深圳)有限公司 一种控制网页访问的方法、装置及移动终端
CN102882923A (zh) * 2012-07-25 2013-01-16 北京亿赛通科技发展有限责任公司 移动终端安全存储系统及方法

Also Published As

Publication number Publication date
CN101621380A (zh) 2010-01-06
CN101621380B (zh) 2015-04-08
CN103260161A (zh) 2013-08-21
CN103260161B (zh) 2016-01-27

Similar Documents

Publication Publication Date Title
WO2009109118A1 (zh) 一种终端接入控制方法、网络设备及系统
US9356928B2 (en) Mechanisms to use network session identifiers for software-as-a-service authentication
CN110199509B (zh) 使用多路径验证的未授权接入点检测
JP5431517B2 (ja) 非3gppアクセスネットワーク経由のアクセス
TWI589141B (zh) 具有多sso技術之sso架構的用戶設備
US8601560B2 (en) Method for user terminal authentication of interface server and interface server and user terminal thereof
US20080294891A1 (en) Method for Authenticating a Mobile Node in a Communication Network
US20130007867A1 (en) Network Identity for Software-as-a-Service Authentication
KR20100054178A (ko) 이동 통신 시스템에서 단말 보안 능력 관련 보안 관리 방안및 장치
EP2534889B1 (en) Method and apparatus for redirecting data traffic
US8151325B1 (en) Optimizing device authentication by discovering internet protocol version authorizations
US9288674B2 (en) Convenient WiFi network access using unique identifier value
US20070101409A1 (en) Exchange of device parameters during an authentication session
WO2009115029A1 (zh) 一种修复数据的方法、系统和装置
Li et al. Transparent AAA security design for low-latency MEC-integrated cellular networks
WO2010094244A1 (zh) 一种进行接入认证的方法、装置及系统
WO2012167500A1 (zh) 一种隧道数据安全通道的建立方法
US20230028642A1 (en) Systems and methods for application security utilizing centralized security management
WO2010118610A1 (zh) 建立三元对等鉴别可信网络连接架构的方法
WO2010069202A1 (zh) 认证协商方法及系统、安全网关、家庭无线接入点
WO2010000157A1 (zh) 接入设备的配置方法、装置及系统
WO2022121589A1 (zh) 一种数据信息获取方法、装置、相关设备及介质
WO2009105976A1 (zh) 一种权限控制方法、系统及设备
WO2008099254A2 (en) Authorizing n0n-3gpp ip access during tunnel establishment
WO2010040309A1 (zh) 一种接入方法、网络系统和装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09718269

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09718269

Country of ref document: EP

Kind code of ref document: A1