WO2010045833A1 - Method, system and device for processing messages in wireless service network - Google Patents

Method, system and device for processing messages in wireless service network Download PDF

Info

Publication number
WO2010045833A1
WO2010045833A1 PCT/CN2009/074105 CN2009074105W WO2010045833A1 WO 2010045833 A1 WO2010045833 A1 WO 2010045833A1 CN 2009074105 W CN2009074105 W CN 2009074105W WO 2010045833 A1 WO2010045833 A1 WO 2010045833A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
security
vlanif
bss
security zone
Prior art date
Application number
PCT/CN2009/074105
Other languages
French (fr)
Chinese (zh)
Inventor
郭贤志
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Publication of WO2010045833A1 publication Critical patent/WO2010045833A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/086Access security using security domains
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a packet processing method, system, and device in a wireless service network. Background technique
  • WIFI wireless fidelity
  • BSS Basic Service Set
  • AP Access Point
  • Each BSS in this instance is equivalent to a virtual AP and has its own SSID.
  • VLANs are generally used in the prior art.
  • VLAN Virtual Local Area Network
  • VLAN Virtual Local Area Network
  • the row port is a "trunk port" that can be used to transfer data from different VALNs.
  • the Publ ic network belongs to VLAN1, and the Corporate network and the intranet authentication server (Authent ication Server) belong to VLAN 2. Because they belong to different VLANs, Publ ic network users cannot access the corporate wireless network and the authentication server of the intranet, that is, different BSS access control is implemented by dividing different VLANs.
  • the embodiments of the present invention provide a method, a system, and a device for processing a message in a wireless service network, which reduce the cost and configuration complexity of the system.
  • An embodiment of the present invention provides a method for processing a packet in a wireless service network, which is applied to an access point AP device configured with multiple wireless service networks, where each of the wireless service networks is distinguished by a basic service set BSS.
  • Each BSS is configured with a different virtual LAN interface VLANIF, and the method includes:
  • the message is processed according to a security policy between the first security zone and the second security zone.
  • An embodiment of the present invention further provides an access point AP device, where the AP device is configured with multiple wireless service networks, and each of the wireless service networks is distinguished by a basic service set BSS, and each BSS has a different virtual The LAN interface VLANIF, the AP device includes:
  • a message receiving unit configured to receive an interaction between the VLAN IF and an external network interface in the BSS Message
  • a security area obtaining unit configured to acquire a first security area to which the VLANIF is added, and a second security area to which the external network interface joins;
  • a packet processing unit configured to process the packet according to a security policy between the first security zone and the second security zone.
  • the embodiment of the present invention further provides a network system, including a user terminal and an access point AP device, where the AP device is configured with multiple wireless service networks, and each of the wireless service networks is distinguished by a basic service set BSS.
  • Each BSS has a different VLAN interface VLANIF,
  • the user terminal is configured to access a BSS and send, by using a VLANIF of the BSS, a message that needs to be sent to an external network to the AP device, and receive an external device that is sent by the AP device through a VLANIF of the BSS.
  • Network message ;
  • the AP device is configured to receive a packet exchanged between the VLANIF and an external network interface in the BSS, obtain a first security zone to which the VLANIF is added, and a second security zone to which the external network interface joins. And processing the packet according to a security policy between the first security area and the second security area.
  • a VLANIF is set for different BSSs, and the packets sent by the VLANIF in the BSS are received, and the packets are processed according to security policies between different security zones. This eliminates the need to deploy switches and easily implements access control for different BSSs, reducing system cost and configuration complexity. In addition, the flexibility of access control is improved by setting different security policies.
  • FIG. 1 is a schematic diagram of implementing access control of different BSSs by VLAN division in the prior art
  • FIG. 2 is a flowchart of a method for processing messages in a wireless service network according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for configuring an AP according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of access control of different BSSs according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a method for processing a packet sent by a BSS to an external network according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of a method for processing a packet sent by an external network to a BSS according to an embodiment of the present invention.
  • FIG. 8 is another schematic structural diagram of an AP device according to an embodiment of the present invention.
  • the technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. example. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
  • An embodiment of the present invention provides a method for processing a wireless service network, which is applied to an AP device configured with multiple wireless service networks, where each wireless service network is distinguished by a BSS, and each BSS has a different VLANIF (VLAN Interface).
  • the method is as shown in Figure 1, including:
  • Step s201 Receive a packet exchanged between the VLANIF in the BSS and the external network interface.
  • Step s203 Process the packet according to the security policy between the first security zone and the second security zone.
  • VLANIF is set for different BSS, and the BSS is received.
  • the packets sent by the VLANIF are processed according to the security policy of different security zones. Therefore, access control of different BSSs can be easily implemented without deploying a switch, which reduces system cost and configuration complexity. In addition, the flexibility of access control is improved by setting different security policies.
  • the VLANIF is configured for the BSS, and the VLANIF of the BSS is added to the security zone to implement access control of the BSS.
  • the BSS is assigned a VLAN and the corresponding VLANIF interface is created.
  • the VLANs are divided into different VLANs. Different BSSs cannot access each other. This allows VLANs to be isolated from each other. User terminals in the BSS network cannot access other networks, such as the Internet or the internal network, without other configurations.
  • the BSS When sending a packet to another network, the BSS must first add the VLANIF of the BSS to the security zone and configure the security policy in the security zone. Only when the packet to be sent in the BSS meets the security policy of the security zone, the packet is sent. Can be sent to other networks.
  • the specific method for performing BSS configuration on the AP is as shown in FIG. 3, and includes the following steps:
  • Step s 301 Create a BSS on the AP.
  • Step s 302 Assign a VLAN to the BSS, and create a VLANIF at the same time.
  • Step s 303 Configure an IP address for the VLANIF on the AP, and configure a DHCP (Dynamic Host Configuration Protocol) server of the VLANIF.
  • the DHCP server is configured to allocate an IP address to a user terminal that subsequently accesses the BSS.
  • Step s 304 Add VLAN I F to a specific security zone.
  • the security zone may be a DMZ (Demi l tar ized Zone) domain.
  • DMZ Demi l tar ized Zone
  • Step s 305 Configure security policies between different security zones, and access of the BSS to other networks is controlled by security zones between security zones.
  • the security policy can be configured through an ACL (Acs s Control List, access control list) or other methods.
  • the specific content of the security policy can be: Allow IP addresses to be specific A packet of a user terminal of a network segment (such as 192.168.*.*) passes, allows a specific type of packet to pass, and allows a packet of a user terminal having a specific MAC (Medium Acces s Control) address to pass. and many more.
  • the role of the DMZ domain is to connect servers that allow external access, such as "TOB” servers and "E-ma i l” servers, to the DMZ domain.
  • a DMZ domain is equivalent to a relatively independent area that is neither part of an internal network nor an external network, and is generally between an internal network and an external network. Its use is: In actual use, some hosts need to provide external services. In order to better provide high-quality services and at the same time effectively protect the security of the internal network, these hosts that need to be opened to the outside are placed in the DMZ domain. In addition, it is separated from the internal network equipment, and corresponding firewall measures are taken according to different needs, so that the internal network can be protected while providing friendly services.
  • the access control method of the BSS network to other networks is illustrated by using the access control of the packets sent by the external network in the BSS as an example. , including the following steps:
  • Step s501 Receive a packet sent by using a VLANIF.
  • the AP receives the packet sent by the user terminal in the Publ ic BSS from the VLANIF1, and the destination address of the packet belongs to the Publ ic network.
  • Step s502 Determine whether the inbound interface VLANIF1 used by the received packet belongs to the security zone, and then continue, otherwise proceed to step s509.
  • the area configured on the AP belongs to the security zone. Therefore, the VLANIF1 belongs to the Defaul t domain, and the AP determines that the VLANIF1 belongs to the security zone. For the inbound interface If the packet does not belong to the security zone, go to step s509.
  • Step s503 Search for a route according to the destination address, and determine an outgoing interface of the packet.
  • the AP determines, according to the destination address of the packet and the local routing table, that the outbound interface used for sending the packet is Port1.
  • Step s504 Determine whether the message out interface Por t l is legal, if yes, continue, otherwise proceed to step s509.
  • the AP determines that the interface is legal. For the outbound interface that does not exist, go to step s 509.
  • Step s505 Determine whether the interface belongs to the security zone, and then continue, otherwise proceed to step s509.
  • the AP determines that the interface Port l belongs to the security zone. For the packets whose inbound interface is not in the security zone, go to step s509.
  • Step s506 Perform packet matching filtering according to the security policy between the security zone to which the inbound interface belongs and the security zone to which the outbound interface belongs.
  • the AP performs packet matching filtering according to the security policy between the Def aul t domain and the Untrus t domain.
  • Step s507 Determine whether the packet conforms to the security policy, and then continue, otherwise proceed to step s 509.
  • Step s508 Forward the packet to the outbound interface, and end the packet forwarding process.
  • the AP forwards the message to the outbound interface Por tl.
  • Step s5Q9 Discard the packet or not process the packet.
  • the access control of the 4 ⁇ text sent to the external network in the BSS is realized.
  • a VLANIF is set for a different BSS, and a packet sent by the VLANIF in the BSS is received, and the packet is processed according to a security policy between different security zones.
  • the access control of different BSSs is easily implemented, which reduces the cost and configuration complexity of the system.
  • the flexibility of access control is improved by setting different security policies.
  • the access control of the packet sent by the external network to the BSS is taken as an example
  • the access control method of the other network to the BSS network, as shown in FIG. 6, includes the following steps: Step s601: Receive a packet sent by an external network.
  • the AP receives a packet from the Publ ic network from the Por tl, and the destination address of the packet belongs to the Publ ic BSS.
  • Step s602 Determine whether the inbound interface Por tl used to receive the message belongs to the security zone, and then continue, otherwise proceed to step s 609.
  • the area configured on the AP belongs to the security area. Therefore, since Por tl belongs to the Untrus t domain, the AP determines that Por tl belongs to the security zone. For the packet whose inbound interface is not in the security zone, go to step s 609.
  • Step s603 Search for a route according to the destination address, and determine the outbound interface VLANIF used to send the packet.
  • the AP determines that the outgoing interface of the packet is VLANIF1 according to the destination address of the packet and the local routing table.
  • Step s604 Determine whether the outbound interface VLANIF1 of the packet is legal, and then continue, otherwise proceed to step s609.
  • the AP determines that the interface is legal. For the outbound interface that does not exist, go to step s609.
  • Step s605 Determine whether the interface VLANIF1 belongs to the security zone, and then continue, otherwise proceed to step s609.
  • the VLANIF1 belongs to the Defaul t domain, and the AP determines that the interface VLANIF1 belongs to the security zone. For the message that the outgoing interface does not belong to the security zone, go to step s 609.
  • Step s606 Perform matching filtering according to the security policy between the security zone to which the inbound interface belongs and the security zone to which the outbound interface belongs.
  • the AP performs packet matching filtering according to the security policy between the Def aul t domain and the Untrus t domain.
  • Step s607 Determine whether the packet conforms to the security policy, and then continue, otherwise proceed to step s 609.
  • Step s608 Forward the packet to the outbound interface, and end the packet forwarding process. Specifically, when the AP determines that the packet matches the security policy between the security zone and the security zone to which the interface belongs, it forwards the packet to the outbound interface, that is, VLANIF1.
  • Step s6Q9 Discard the packet or not process the packet.
  • a VLANIF is set for different BSSs, and the packets sent by the VLANIF in the BSS are received, and the packets are processed according to security policies between different security zones. Therefore, access control of different BSSs can be easily implemented without deploying a switch, which reduces system cost and configuration complexity. In addition, access control flexibility is enhanced by setting different security policies.
  • the embodiment of the present invention further provides a network system, including a user terminal and an AP device.
  • the AP device is configured with multiple wireless service networks, and each wireless service network is distinguished by a BSS.
  • Each BSS has a different VLANIF.
  • the user terminal is configured to access the BSS and send the packet that needs to be sent to the external network to the AP device through the VLANIF of the BSS, and receive the packet sent by the AP device from the external network through the VLANIF of the BSS;
  • the AP device is configured to receive the packet exchanged between the VLANIF and the external network interface in the BSS, obtain the first security zone that the VLANIF joins, and the second security zone that the external network interface joins, according to the first security zone and the first security zone.
  • the security policy between the two security zones processes the packets.
  • An embodiment of the present invention further provides an AP device.
  • the AP device is configured with multiple wireless service networks, and each wireless service network is distinguished by a BSS, and each BSS has a different VLANIF.
  • the AP device includes:
  • the message receiving unit 10 is configured to receive a packet exchanged between the VLAN I F and the external network interface in the BSS;
  • the security area obtaining unit 20 is configured to acquire a first security area to which the VLANIF is added, and The second security zone to which the external network ⁇ wife mouth is added;
  • the packet processing unit 30 is configured to process the packet according to the security policy between the first security zone and the second security zone.
  • the device further includes:
  • the configuration unit 40 is configured to allocate a VLAN for multiple BSSs, and create a corresponding VLANIF for each BSS, and add each VLANIF to a specific security zone, and set a security policy between the security zone to which the VLANIF joins and the security zone to which the external network port joins. .
  • the security area obtaining unit 20 of the AP device may further include:
  • the first obtaining sub-unit 21 is configured to: when the user terminal in the BSS sends the packet to the external network through the VLANIF, obtain the first security zone to which the inbound interface VLANI F of the packet is added, according to the packet
  • the destination address determines the outbound interface of the packet, that is, the external network interface, and obtains the second security zone to which the external network interface of the interface is added.
  • the second obtaining sub-unit 22 is configured to: when the packet is sent by the external network to the user terminal in the BSS through the VLANIF, obtain the inbound interface of the packet, that is, the second security zone that is added by the external network interface, according to the packet.
  • the destination address determines the outbound interface of the packet, that is, VLANIF, and obtains the first security zone to which the outbound VLANIF is added.
  • the packet processing unit 30 of the AP device is specifically configured to: when determining that the packet meets the requirements of the security policy between the first security zone and the second security zone, forward the packet to the destination address of the packet; The text is processed.
  • a VLANIF is set for different BSSs for processing.
  • the access control to different BSSs is easily realized, and the P-bar reduces the cost and configuration complexity of the system.
  • the flexibility of access control is improved by setting different security policies.
  • the present invention can be implemented by hardware or by software plus a necessary general hardware platform.
  • the technical solution of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk).
  • a non-volatile storage medium which can be a CD-ROM, a USB flash drive, a mobile hard disk.
  • a computer device which may be a personal computer, a server, or a network device, etc.

Abstract

A method, system and device for processing messages in a wireless service network are disclosed in the embodiments of the present invention. The method is applied in an Access Point (AP) device which is configured with a plurality of wireless service networks, wherein, each wireless service network is identified by a Basic Service Set (BSS), and each BSS has a different Virtual Local Area Network Interface (VLANIF). The method includes the following steps of: receiving a message interacting between the VLANIF of the BSS and an external network interface; acquiring a first safety zone to which the VLANIF adds and a second safety zone to which the external network interface adds; processing the message according to the security strategy between the first and the second safety zones. In the embodiments of the present invention, the access control to different BSS is conveniently realized, and the system cost and the configuration complexity are reduced. In addition, the flexibility of the access control is increased by setting different security strategies.

Description

无线服务网络中报文的处理方法、 系统和设备 技术领域  Method, system and device for processing messages in wireless service network
本发明涉及通信技术领域, 尤其涉及一种无线服务网络中报文的处理方 法、 系统和设备。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a packet processing method, system, and device in a wireless service network. Background technique
当前, WIFI (wireless fidelity, 无线保真技术)无线局域网的应用已 经越来越普及。 从手机、 PC、 笔记本电脑到其他 WIFI移动设备, 有越来越多 的用户需要通过 WIFI网络连接到因特网 (Internet)。 早期的设备只能支持 创建一个 BSS (Basic Service Set, 基本服务集) , 也就是一个 AP (Access Point, 接入点)只能为用户提供一个 "无线网络" , 而且该网络上的所有用 户的权限基本都相同。 而随着当前无线网络的普及, 产生了一个 AP提供多个 无线网络的需求。  Currently, WIFI (wireless fidelity) wireless LAN applications have become more and more popular. From mobile phones, PCs, and laptops to other WIFI mobile devices, more and more users need to connect to the Internet via a WIFI network. Early devices can only support the creation of a BSS (Basic Service Set), that is, an AP (Access Point) can only provide users with a "wireless network" and all users on the network. The permissions are basically the same. With the popularity of current wireless networks, there is a need for an AP to provide multiple wireless networks.
举例而言, 各机构会有携带 WIFI设备的访客, 而且这些 WIFI设备需要 和因特网连接。现有技术中为了满足这些作为非可信用户的访客的上网需求, 通常会在相同的 AP上提供多个无线网络。 例如在同一个 AP上创建 2个 BSS, 其中一个称为公共 (Public ) 并供访客使用, 另一个称为团体(Corporate) 并供内部用户使用。 访客只能加入 Public 网络, 之后可以访问 Internet, 但不能访问内部网络。 而内部用户可以加入到 Corporate 网络后, 能够访问 内部网络。 该实例中的每个 BSS 都相当于一个虚拟 AP, 拥有自己的 SSID For example, organizations will have visitors with WIFI devices, and these WIFI devices need to be connected to the Internet. In the prior art, in order to meet the Internet access requirements of these non-trusted users, multiple wireless networks are usually provided on the same AP. For example, create two BSSs on the same AP, one of which is called Public and is used by visitors, and the other is called Corporate and is used by internal users. Visitors can only join the Public network, and then they can access the Internet but not the internal network. Internal users can access the internal network after joining the Corporate network. Each BSS in this instance is equivalent to a virtual AP and has its own SSID.
( Service Set Identifier, 刀良务集标口、) 、 MAC ( Media Access Control, 媒体访问控制)地址、 身份验证设置和加密设定, 并使用不同的安全策略。 (Service Set Identifier,), MAC (Media Access Control) address, authentication settings, and encryption settings, and use different security policies.
为了实现上述虛拟 AP之间的隔离和访问控制 ,现有技术中一般使用 VLAN In order to implement isolation and access control between the above virtual APs, VLANs are generally used in the prior art.
(Virtual Local Area Network, 虚拟局 i或网)技术。 以图 1 所示的组网环 境为例, 为每个 BSS分配一个 VLAN, 不同 VLAN之间不能相互访问。 AP的上 行端口是 "Trunk 口" , 可以用于传送不同 VALN的数据。 而 Publ ic 网络属 于 VLAN1 , Corporate 网络和内网的養权服务器 ( Authent icat ion Server ) 属于 VLAN2。 因为属于不同的 VLAN, Publ ic网络用户无法访问 Corporate无 线网络和内网的鉴权服务器, 即通过划分不同的 VLAN实现了不同 BSS的访问 控制。 (Virtual Local Area Network, virtual office i or network) technology. Take the networking environment shown in Figure 1 as an example. Each VLAN is assigned a VLAN. Different VLANs cannot access each other. On the AP The row port is a "trunk port" that can be used to transfer data from different VALNs. The Publ ic network belongs to VLAN1, and the Corporate network and the intranet authentication server (Authent ication Server) belong to VLAN 2. Because they belong to different VLANs, Publ ic network users cannot access the corporate wireless network and the authentication server of the intranet, that is, different BSS access control is implemented by dividing different VLANs.
发明人发现现有技术中的实现方式存在以下问题:  The inventors have found that the implementation in the prior art has the following problems:
在现有 BSS的应用中, 需要另外部署具有 VLAN功能的交换机并对 AP和 交换机进行配置, 这增加了系统的成本和配置复杂度。 另外, 通过 VLAN划分 实现不同 BSS的访问控制时, 在访问控制的实现上不够灵活。 发明内容  In existing BSS applications, additional VLAN-enabled switches and APs and switches need to be deployed, which increases system cost and configuration complexity. In addition, when access control of different BSSs is implemented by VLAN division, the implementation of access control is not flexible enough. Summary of the invention
本发明的实施例提供一种无线服务网络中报文的处理方法、 系统和设备, 降低了系统的成本和配置复杂度。  The embodiments of the present invention provide a method, a system, and a device for processing a message in a wireless service network, which reduce the cost and configuration complexity of the system.
本发明的实施例提供一种无线服务网络中报文的处理方法, 应用于配置 有多个无线服务网络的接入点 AP设备中,每个所述无线服务网络通过基本服 务集 BSS进行区分, 每个 BSS配置有不同的虛拟局域网接口 VLANIF, 所述方 法包括:  An embodiment of the present invention provides a method for processing a packet in a wireless service network, which is applied to an access point AP device configured with multiple wireless service networks, where each of the wireless service networks is distinguished by a basic service set BSS. Each BSS is configured with a different virtual LAN interface VLANIF, and the method includes:
接收 BSS中的所述 VLANIF与外部网络接口之间交互的报文;  Receiving a message exchanged between the VLANIF and the external network interface in the BSS;
获取所述 VLAN I F所加入的第一安全区域、以及所述外部网络接口所加入 的第二安全区域;  Obtaining a first security zone to which the VLAN I F is added, and a second security zone to which the external network interface is added;
根据所述第一安全区域和所述第二安全区域间的安全策略对所述报文进 行处理。  The message is processed according to a security policy between the first security zone and the second security zone.
本发明的实施例还提供一种接入点 AP设备, 所述 AP设备上配置有多个 无线服务网络, 每个所述无线服务网络通过基本服务集 BSS进行区分, 每个 BSS具有不同的虚拟局域网接口 VLANIF, 所述 AP设备包括:  An embodiment of the present invention further provides an access point AP device, where the AP device is configured with multiple wireless service networks, and each of the wireless service networks is distinguished by a basic service set BSS, and each BSS has a different virtual The LAN interface VLANIF, the AP device includes:
报文接收单元 ,用于接收 BSS中的所述 VLAN I F与外部网络接口之间交互 的报文; a message receiving unit, configured to receive an interaction between the VLAN IF and an external network interface in the BSS Message
安全区域获取单元, 用于获取所述 VLANIF所加入的第一安全区域、 以及 所述外部网络接口所加入的第二安全区域;  a security area obtaining unit, configured to acquire a first security area to which the VLANIF is added, and a second security area to which the external network interface joins;
报文处理单元, 用于根据所述第一安全区域和所述第二安全区域间的安 全策略对所述报文进行处理。  And a packet processing unit, configured to process the packet according to a security policy between the first security zone and the second security zone.
本发明的实施例还提供一种网络系统, 包括用户终端和接入点 AP设备, 所述 AP设备上配置有多个无线服务网络,每个所述无线服务网络通过基本服 务集 BSS进行区分, 每个 BSS具有不同的虚拟局域网接口 VLANIF,  The embodiment of the present invention further provides a network system, including a user terminal and an access point AP device, where the AP device is configured with multiple wireless service networks, and each of the wireless service networks is distinguished by a basic service set BSS. Each BSS has a different VLAN interface VLANIF,
所述用户终端 ,用于接入 BSS并通过所述 BSS的 VLANIF将需要向外部网 络发送的 4艮文向所述 AP设备发送,并接收所述 AP设备通过所述 BSS的 VLANIF 发送的来自外部网络的报文;  The user terminal is configured to access a BSS and send, by using a VLANIF of the BSS, a message that needs to be sent to an external network to the AP device, and receive an external device that is sent by the AP device through a VLANIF of the BSS. Network message;
所述 AP设备, 用于接收 BSS中的所述 VLANIF与外部网络接口之间交互 的报文, 获取所述 VLANIF所加入的第一安全区域、 以及所述外部网络接口所 加入的第二安全区域, 根据所述第一安全区域和所述第二安全区域间的安全 策略对所述报文进行处理。  The AP device is configured to receive a packet exchanged between the VLANIF and an external network interface in the BSS, obtain a first security zone to which the VLANIF is added, and a second security zone to which the external network interface joins. And processing the packet according to a security policy between the first security area and the second security area.
与现有技术相比, 本发明的实施例具有以下优点:  Embodiments of the present invention have the following advantages over the prior art:
本发明的实施例中, 为不同的 BSS设置 VLANIF, 接收 BSS中通过 VLANIF 发送的报文并根据不同安全区域间的安全策略对报文进行处理。 从而不需要 部署交换机就能简便的实现对不同 BSS的访问控制, 降低了系统的成本和配 置复杂度。 另外, 通过设置不同的安全策略提高了访问控制的灵活度。 附图说明  In the embodiment of the present invention, a VLANIF is set for different BSSs, and the packets sent by the VLANIF in the BSS are received, and the packets are processed according to security policies between different security zones. This eliminates the need to deploy switches and easily implements access control for different BSSs, reducing system cost and configuration complexity. In addition, the flexibility of access control is improved by setting different security policies. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面 描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动性的前提下 , 还可以根据这些附图获得其他的附图。 图 1是现有技术通过 VLAN划分实现不同 BSS的访问控制的示意图; 图 2是本发明实施例无线服务网络中报文的处理方法流程图; In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor. 1 is a schematic diagram of implementing access control of different BSSs by VLAN division in the prior art; FIG. 2 is a flowchart of a method for processing messages in a wireless service network according to an embodiment of the present invention;
图 3是本发明实施例配置 AP的方法流程图;  3 is a flowchart of a method for configuring an AP according to an embodiment of the present invention;
图 4是本发明实施例实现不同 BSS的访问控制的示意图;  4 is a schematic diagram of access control of different BSSs according to an embodiment of the present invention;
图 5是本发明实施例对 BSS向外部网络发送的报文进行处理的方法流程 图 6是本发明实施例对外部网络向 BSS发送的报文进行处理的方法流程 图 7是本发明实施例提供的 AP设备的结构示意图;  FIG. 5 is a flowchart of a method for processing a packet sent by a BSS to an external network according to an embodiment of the present invention. FIG. 6 is a flowchart of a method for processing a packet sent by an external network to a BSS according to an embodiment of the present invention. Schematic diagram of the AP device;
图 8是本发明实施例提供的 AP设备的另一结构示意图。 具体实施方式 下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而 不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作 出创造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。  FIG. 8 is another schematic structural diagram of an AP device according to an embodiment of the present invention. The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. example. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明的实施例提供了一种无线服务网络中 4艮文的处理方法, 应用于配 置有多个无线服务网络的 AP设备中, 每个无线服务网络通过 BSS进行区分, 每个 BSS具有不同的 VLANIF ( VLAN Interface , 虚拟局域网接口 ) 。 该方法 如图 1所示, 包括:  An embodiment of the present invention provides a method for processing a wireless service network, which is applied to an AP device configured with multiple wireless service networks, where each wireless service network is distinguished by a BSS, and each BSS has a different VLANIF (VLAN Interface). The method is as shown in Figure 1, including:
步骤 s201、 接收 BSS中的 VLANIF与外部网络接口之间交互的报文。 步骤 s 202、 获取 VLANIF所加入的第一安全区域、 以及外部网络接口所 加入的第二安全区域。  Step s201: Receive a packet exchanged between the VLANIF in the BSS and the external network interface. Step s 202: Obtain a first security zone to which the VLANIF is added, and a second security zone to which the external network interface is added.
步驟 s203、 根据第一安全区域和第二安全区域间的安全策略对报文进行 处理。  Step s203: Process the packet according to the security policy between the first security zone and the second security zone.
本发明的实施例提供的上述方法中,为不同的 BSS设置 VLANIF ,接收 BSS 中通过 VLANIF 发送的报文并根据不同安全区域间的安全策略对报文进行处 理。 从而不需要部署交换机就能简便的实现对不同 BSS的访问控制, 降低了 系统的成本和配置复杂度。 另外, 通过设置不同的安全策略提高了访问控制 的灵活度。 In the above method provided by the embodiment of the present invention, VLANIF is set for different BSS, and the BSS is received. The packets sent by the VLANIF are processed according to the security policy of different security zones. Therefore, access control of different BSSs can be easily implemented without deploying a switch, which reduces system cost and configuration complexity. In addition, the flexibility of access control is improved by setting different security policies.
本发明的实施例中, 通过为 BSS配置 VLANIF, 并将 BSS的 VLANIF加入 到安全区域, 进而实现对 BSS的访问控制。 具体的, 在 AP上创建 BSS后, 给 BSS分配 VLAN, 同时创建对应的 VLANIF接口。通过 VLAN的划分, 将不同 BSS 划分到不同的 VLAN, 不同 BSS无法相互访问, 从而通过 VLAN可以实现 BSS 间的隔离。 在不进行其他配置的情况下, BSS 网络内的用户终端不可以访问 其他网络, 如 Internet或者内部网络。 BSS要向其他网络发送报文时, 必须 先将 BSS的 VLANIF加入到安全区域, 并配置安全区域中的安全策略, 只有在 BSS 中待发送的报文符合安全区域的安全策略时, 该报文才可以发送到其他 网络。  In the embodiment of the present invention, the VLANIF is configured for the BSS, and the VLANIF of the BSS is added to the security zone to implement access control of the BSS. After the BSS is created on the AP, the BSS is assigned a VLAN and the corresponding VLANIF interface is created. The VLANs are divided into different VLANs. Different BSSs cannot access each other. This allows VLANs to be isolated from each other. User terminals in the BSS network cannot access other networks, such as the Internet or the internal network, without other configurations. When sending a packet to another network, the BSS must first add the VLANIF of the BSS to the security zone and configure the security policy in the security zone. Only when the packet to be sent in the BSS meets the security policy of the security zone, the packet is sent. Can be sent to other networks.
本发明实施例中, 在 AP进行 BSS配置的具体方法如图 3所示, 包括以下 步驟:  In the embodiment of the present invention, the specific method for performing BSS configuration on the AP is as shown in FIG. 3, and includes the following steps:
步骤 s 301、 在 AP上创建 BSS。  Step s 301. Create a BSS on the AP.
步骤 s 302、 为 BSS分配 VLAN, 并同时创建 VLANIF。  Step s 302: Assign a VLAN to the BSS, and create a VLANIF at the same time.
步骤 s 303、 在 AP上为 VLANIF配置 IP地址, 并同时配置 VLANIF的 DHCP ( Dynamic Host Configuration Protocol, 动态主机分配协议 )服务器。 该 DHCP 服务器用于向后续接入该 BSS的用户终端分配 IP地址。  Step s 303: Configure an IP address for the VLANIF on the AP, and configure a DHCP (Dynamic Host Configuration Protocol) server of the VLANIF. The DHCP server is configured to allocate an IP address to a user terminal that subsequently accesses the BSS.
步骤 s 304、 将 VLAN I F加入到特定的安全区域。  Step s 304: Add VLAN I F to a specific security zone.
具体的, 该安全区域可以为 DMZ ( Demi l i tar ized Zone, 非军事化区) 域。  Specifically, the security zone may be a DMZ (Demi l tar ized Zone) domain.
步骤 s 305、 配置不同安全区域间的安全策略, 则 BSS到其他网络的访问 受安全区域间安全策略的控制。  Step s 305: Configure security policies between different security zones, and access of the BSS to other networks is controlled by security zones between security zones.
具体的, 该安全策略可以通过 ACL ( Acces s Control Li s t , 接入控制列 表)或其他方式进行配置。 安全策略的具体内容可以为: 允许 IP地址为特定 网段(如 192. 168. *. * ) 的用户终端的报文通过、 允许特定类型的报文通过、 允许具有特定 MAC ( Medium Acces s Control , 媒体访问控制)地址的用户终 端的报文通过等等。 Specifically, the security policy can be configured through an ACL (Acs s Control List, access control list) or other methods. The specific content of the security policy can be: Allow IP addresses to be specific A packet of a user terminal of a network segment (such as 192.168.*.*) passes, allows a specific type of packet to pass, and allows a packet of a user terminal having a specific MAC (Medium Acces s Control) address to pass. and many more.
以下结合一个具体的网络场景, 说明本发明实施例的具体实施方式。 以 图 4所示的组网环境为例, 将 Publ ic BSS的 VLANIF1加入到缺省 ( Defaul t ) 域,将 Corpora te BSS的 VLANIF2加入到信任( Trus t )域,将 AP上连接 Publ ic 网络的接口 Por t l加入到非信任 ( Untrus t )域, 将 AP上连接 Corpera te网 络的接口 Port 2加入 DMZ域。 上述缺省域、 信任域、 非信任域和 DMZ域都属 于一种安全区域。  The specific implementation manners of the embodiments of the present invention are described below in conjunction with a specific network scenario. Take the networking environment shown in Figure 4 as an example. Add VLANIF1 of the Publ ic BSS to the default (Defaul t) domain, add VLANIF2 of the Corpora te BSS to the Trust (Trs t) domain, and connect the AP to the Publ ic network. The interface Port tl is added to the untrusted (Untrus t) domain, and the interface 2 connected to the Corpera te network on the AP is added to the DMZ domain. The above default domain, trust domain, untrusted domain, and DMZ domain belong to a security zone.
DMZ域的作用在于, 把 "TOB" 服务器、 "E-ma i l" 服务器等允许外部访 问的服务器单独接在 DMZ域。 DMZ域相当于一个既不属于内部网络, 也不属 于外部网络的一个相对独立的区域, 一般处于内部网络与外部网络之间。 其 用处在于: 在实际的运用中, 某些主机需要对外提供服务, 为了更好地提供 优质的服务, 并同时又要有效地保护内部网络的安全, 将这些需要对外开放 的主机放置在 DMZ域中, 与内部的网络设备分隔开来, 并根据不同的需要有 针对性地釆取相应的防火墙措施, 这样便能在对外提供友好的服务的同时最 大限度地保护了内部网络。  The role of the DMZ domain is to connect servers that allow external access, such as "TOB" servers and "E-ma i l" servers, to the DMZ domain. A DMZ domain is equivalent to a relatively independent area that is neither part of an internal network nor an external network, and is generally between an internal network and an external network. Its use is: In actual use, some hosts need to provide external services. In order to better provide high-quality services and at the same time effectively protect the security of the internal network, these hosts that need to be opened to the outside are placed in the DMZ domain. In addition, it is separated from the internal network equipment, and corresponding firewall measures are taken according to different needs, so that the internal network can be protected while providing friendly services.
本发明的实施例中, 结合上述图 4所示的网络场景, 以对 BSS中一向外 部网络发送的报文的访问控制为例, 说明 BSS 网络到其他网络的访问控制方 法, 如图 5所示, 包括以下步骤:  In the embodiment of the present invention, in conjunction with the network scenario shown in FIG. 4, the access control method of the BSS network to other networks is illustrated by using the access control of the packets sent by the external network in the BSS as an example. , including the following steps:
步骤 s501、 接收通过 VLANIF发送的报文。  Step s501: Receive a packet sent by using a VLANIF.
具体的, 假设 AP从 VLANIF1接收到来自 Publ ic BSS中的用户终端发送 的报文, 报文的目的地址属于 Publ ic网络。  Specifically, it is assumed that the AP receives the packet sent by the user terminal in the Publ ic BSS from the VLANIF1, and the destination address of the packet belongs to the Publ ic network.
步骤 s502、 判断接收报文所使用的入接口 VLANIF1是否属于安全区域, 是则继续, 否则进行步骤 s509。  Step s502: Determine whether the inbound interface VLANIF1 used by the received packet belongs to the security zone, and then continue, otherwise proceed to step s509.
具体的, 本发明实施例中, 在 AP上配置的区域都属于安全区域, 因此, 由于 VLANIF1属于 Defaul t域, AP判断 VLANIF1属于安全区域。 对于入接口 不属于安全区域的报文, 进行步骤 s509。 Specifically, in the embodiment of the present invention, the area configured on the AP belongs to the security zone. Therefore, the VLANIF1 belongs to the Defaul t domain, and the AP determines that the VLANIF1 belongs to the security zone. For the inbound interface If the packet does not belong to the security zone, go to step s509.
步骤 s503、 根据目的地址查找路由, 确定报文的出接口。  Step s503: Search for a route according to the destination address, and determine an outgoing interface of the packet.
具体的, AP根据报文的目的地址、 以及本地的路由表, 确定发送该报文 所使用的出接口为 Portl。  Specifically, the AP determines, according to the destination address of the packet and the local routing table, that the outbound interface used for sending the packet is Port1.
步骤 s504、 判断报文出接口 Por t l是否合法, 是则继续, 否则进行步骤 s509。  Step s504: Determine whether the message out interface Por t l is legal, if yes, continue, otherwise proceed to step s509.
具体的, 由于 Por t l硝实存在, 因此 AP判断出接口为合法。 对于不存在 的出接口, 进行步驟 s 509。  Specifically, because the Por t l is actually present, the AP determines that the interface is legal. For the outbound interface that does not exist, go to step s 509.
步骤 s505、 判断出接口是否属于安全区域, 是则继续, 否则进行步骤 s509。  Step s505: Determine whether the interface belongs to the security zone, and then continue, otherwise proceed to step s509.
具体的, 由于 Por tl属于 Untrus t域, AP判断出接口 Port l属于安全区 域。 对于入接口不属于安全区域的报文, 进行步骤 s509。  Specifically, because Por tl belongs to the Untrus t domain, the AP determines that the interface Port l belongs to the security zone. For the packets whose inbound interface is not in the security zone, go to step s509.
步骤 s506、 根据入接口所属安全区域与出接口所属安全区域间的安全策 略进行报文匹配过滤。  Step s506: Perform packet matching filtering according to the security policy between the security zone to which the inbound interface belongs and the security zone to which the outbound interface belongs.
具体的, AP根据 Def aul t域与 Untrus t域间的安全策略进行报文匹配过 滤。  Specifically, the AP performs packet matching filtering according to the security policy between the Def aul t domain and the Untrus t domain.
步骤 s507、判断报文是否符合安全策略,是则继续,否则进行步驟 s 509。 步骤 s508、 向出接口转发报文, 结束该报文转发流程。  Step s507: Determine whether the packet conforms to the security policy, and then continue, otherwise proceed to step s 509. Step s508: Forward the packet to the outbound interface, and end the packet forwarding process.
具体的, AP判断报文符合入接口所属安全区域与出接口所属安全区域间 的安全策略时, 向出接口 Por tl转发 4艮文。  Specifically, when the AP determines that the packet meets the security policy between the security zone to which the inbound interface belongs and the security zone to which the outbound interface belongs, the AP forwards the message to the outbound interface Por tl.
步骤 s5Q9、 丟弃该报文或不对该报文进行处理。  Step s5Q9: Discard the packet or not process the packet.
通过上述步骤, 实现了对 BSS 中向外部网络发送的 4艮文的访问控制。 本 发明的实施例提供的上述方法中, 为不同的 BSS设置 VLANIF, 接收 BSS中通 过 VLANIF发送的报文并根据不同安全区域间的安全策略对报文进行处理。从 而简便的实现了对不同 BSS的访问控制, 降低了系统的成本和配置复杂度。 另外, 通过设置不同的安全策略提高了访问控制的灵活度。  Through the above steps, the access control of the 4 艮 text sent to the external network in the BSS is realized. In the foregoing method provided by the embodiment of the present invention, a VLANIF is set for a different BSS, and a packet sent by the VLANIF in the BSS is received, and the packet is processed according to a security policy between different security zones. The access control of different BSSs is easily implemented, which reduces the cost and configuration complexity of the system. In addition, the flexibility of access control is improved by setting different security policies.
本发明实施例中, 以对外部网络向 BSS发送的报文的访问控制为例, 说 明其他网络到 BSS网络的访问控制方法, 如图 6所示, 包括以下步骤: 步骤 s601、 接收外部网络发送的报文。 In the embodiment of the present invention, the access control of the packet sent by the external network to the BSS is taken as an example, The access control method of the other network to the BSS network, as shown in FIG. 6, includes the following steps: Step s601: Receive a packet sent by an external network.
具体的, 假设 AP从 Por tl接收到来自 Publ ic网络的报文, 报文的目的 地址属于 Publ ic BSS。  Specifically, it is assumed that the AP receives a packet from the Publ ic network from the Por tl, and the destination address of the packet belongs to the Publ ic BSS.
步骤 s602、 判断接收报文所使用的入接口 Por tl是否属于安全区域, 是 则继续, 否则进行步驟 s 609。  Step s602: Determine whether the inbound interface Por tl used to receive the message belongs to the security zone, and then continue, otherwise proceed to step s 609.
具体的, 本发明实施例中, 在 AP上配置的区域都属于安全区域, 因此, 由于 Por tl属于 Untrus t域, AP判断 Por tl属于安全区域。 对于入接口不属 于安全区域的报文 , 进行步骤 s 609。  Specifically, in the embodiment of the present invention, the area configured on the AP belongs to the security area. Therefore, since Por tl belongs to the Untrus t domain, the AP determines that Por tl belongs to the security zone. For the packet whose inbound interface is not in the security zone, go to step s 609.
步骤 s603、 根据目的地址查找路由, 确定发送该报文所使用的出接口 VLANIF。  Step s603: Search for a route according to the destination address, and determine the outbound interface VLANIF used to send the packet.
具体的, AP根据报文的目的地址、 以及本地的路由表, 确定报文的出接 口为 VLANIF1。  Specifically, the AP determines that the outgoing interface of the packet is VLANIF1 according to the destination address of the packet and the local routing table.
步驟 s604、 判断报文出接口 VLANIF1是否合法, 是则继续, 否则进行步 骤 s609。  Step s604: Determine whether the outbound interface VLANIF1 of the packet is legal, and then continue, otherwise proceed to step s609.
具体的, 由于 VLANIF1确实存在, 因此 AP判断出接口为合法。 对于不存 在的出接口, 进行步骤 s609。  Specifically, because VLANIF1 does exist, the AP determines that the interface is legal. For the outbound interface that does not exist, go to step s609.
步骤 s605、 判断出接口 VLANIF1是否属于安全区域, 是则继续, 否则进 行步驟 s609。  Step s605: Determine whether the interface VLANIF1 belongs to the security zone, and then continue, otherwise proceed to step s609.
具体的, 由于 VLANIF1属于 Defaul t域, AP判断出接口 VLANIF1属于安 全区域。 对于出接口不属于安全区域的 4艮文, 进行步骤 s 609。  Specifically, the VLANIF1 belongs to the Defaul t domain, and the AP determines that the interface VLANIF1 belongs to the security zone. For the message that the outgoing interface does not belong to the security zone, go to step s 609.
步骤 s606、 根据入接口所属安全区域和出接口所属安全区域之间的安全 策略进行 4艮文匹配过滤。  Step s606: Perform matching filtering according to the security policy between the security zone to which the inbound interface belongs and the security zone to which the outbound interface belongs.
具体的, AP根据 Def aul t域与 Untrus t域间的安全策略进行报文匹配过 滤。  Specifically, the AP performs packet matching filtering according to the security policy between the Def aul t domain and the Untrus t domain.
步驟 s607、判断报文是否符合安全策略,是则继续,否则进行步驟 s 609。 步驟 s608、 向出接口转发报文, 结束该报文转发流程。 具体的, AP判断报文符合入接口所属安全区域与出接口所属安全区域间 的安全策略时, 向出接口即 VLANIF1转发报文。 Step s607: Determine whether the packet conforms to the security policy, and then continue, otherwise proceed to step s 609. Step s608: Forward the packet to the outbound interface, and end the packet forwarding process. Specifically, when the AP determines that the packet matches the security policy between the security zone and the security zone to which the interface belongs, it forwards the packet to the outbound interface, that is, VLANIF1.
步驟 s6Q9、 丢弃该报文或不对该报文进行处理。  Step s6Q9: Discard the packet or not process the packet.
通过上述步骤, 实现了对外部网络向 BSS 中发送的 4艮文的访问控制。 以 上只是以 4艮文在 Defaul t域与 Untrus t域间的互转发为例对本发明实施例的 具体实施方式进行说明, 对于其他域间报文的互转发方法, 与上述报文在 Defaul t域与 Untrus t域间的互转发相似, 在此不进行重复描述。  Through the above steps, access control of the external network to the BSS is implemented. The foregoing is a description of the specific implementation manner of the embodiment of the present invention by using the inter-transfer between the Defaul t domain and the Untrus t domain as an example. For the inter-forwarding method of other inter-domain packets, the packet is in the Defaul t domain. Similar to the mutual forwarding between Untrus t domains, the description is not repeated here.
本发明的实施例提供的上述方法中,为不同的 BSS设置 VLANIF,接收 BSS 中通过 VLANIF 发送的报文并根据不同安全区域间的安全策略对报文进行处 理。 从而不需要部署交换机就能简便的实现对不同 BSS的访问控制, 降低了 系统的成本和配置复杂度。 另外, 通过设置不同的安全策略提高了访问控制 的灵活度。  In the foregoing method provided by the embodiment of the present invention, a VLANIF is set for different BSSs, and the packets sent by the VLANIF in the BSS are received, and the packets are processed according to security policies between different security zones. Therefore, access control of different BSSs can be easily implemented without deploying a switch, which reduces system cost and configuration complexity. In addition, access control flexibility is enhanced by setting different security policies.
本发明的实施例还提供一种网络系统, 包括用户终端和 AP设备, AP设 备上配置有多个无线服务网络, 每个无线服务网络通过 BSS进行区分, 每个 BSS具有不同的 VLANIF ,  The embodiment of the present invention further provides a network system, including a user terminal and an AP device. The AP device is configured with multiple wireless service networks, and each wireless service network is distinguished by a BSS. Each BSS has a different VLANIF.
用户终端,用于接入 BSS并通过 BSS的 VLANIF将需要向外部网络发送的 报文向 AP设备发送,并接收 AP设备通过 BSS的 VLANIF发送的来自外部网络 的报文;  The user terminal is configured to access the BSS and send the packet that needs to be sent to the external network to the AP device through the VLANIF of the BSS, and receive the packet sent by the AP device from the external network through the VLANIF of the BSS;
AP设备, 用于接收 BSS 中的 VLANIF与外部网络接口之间交互的报文, 获取 VLANIF所加入的第一安全区域、以及外部网络接口所加入的第二安全区 域, 根据第一安全区域和第二安全区域间的安全策略对报文进行处理。  The AP device is configured to receive the packet exchanged between the VLANIF and the external network interface in the BSS, obtain the first security zone that the VLANIF joins, and the second security zone that the external network interface joins, according to the first security zone and the first security zone. The security policy between the two security zones processes the packets.
本发明的实施例还提供一种 AP设备, AP设备上配置有多个无线服务网 络, 每个无线服务网络通过 BSS进行区分, 每个 BSS具有不同的 VLANIF。 具 体的, 如图 7所示, 该 AP设备包括:  An embodiment of the present invention further provides an AP device. The AP device is configured with multiple wireless service networks, and each wireless service network is distinguished by a BSS, and each BSS has a different VLANIF. Specifically, as shown in FIG. 7, the AP device includes:
报文接收单元 10, 用于接收 BSS 中的 VLAN I F与外部网络接口之间交互 的报文;  The message receiving unit 10 is configured to receive a packet exchanged between the VLAN I F and the external network interface in the BSS;
安全区域获取单元 20, 用于获取 VLANIF所加入的第一安全区域、 以及 外部网 ^妻口所加入的第二安全区域; The security area obtaining unit 20 is configured to acquire a first security area to which the VLANIF is added, and The second security zone to which the external network ^ wife mouth is added;
报文处理单元 30 , 用于根据第一安全区域和第二安全区域间的安全策略 对报文进行处理。  The packet processing unit 30 is configured to process the packet according to the security policy between the first security zone and the second security zone.
本发明的另一实施例中, 如图 8所示, 该 ΑΡ设备还包括:  In another embodiment of the present invention, as shown in FIG. 8, the device further includes:
配置单元 40, 用于为多个 BSS 分配 VLAN, 并为每个 BSS 创建相应的 VLANIF, 将各 VLANIF加入特定的安全区域, 设置 VLANIF加入的安全区域与 外部网 口加入的安全区域间的安全策略。  The configuration unit 40 is configured to allocate a VLAN for multiple BSSs, and create a corresponding VLANIF for each BSS, and add each VLANIF to a specific security zone, and set a security policy between the security zone to which the VLANIF joins and the security zone to which the external network port joins. .
另外, 该 AP设备的安全区域获取单元 20可以进一步包括:  In addition, the security area obtaining unit 20 of the AP device may further include:
第一获取子单元 21, 用于当才艮文为 BSS 中的用户终端通过 VLANIF向外 部网络发送的报文时, 获取报文的入接口 VLANI F所加入的第一安全区域, 根 据报文的目的地址确定报文的出接口即外部网络接口, 获取出接口外部网络 接口所加入的第二安全区域;  The first obtaining sub-unit 21 is configured to: when the user terminal in the BSS sends the packet to the external network through the VLANIF, obtain the first security zone to which the inbound interface VLANI F of the packet is added, according to the packet The destination address determines the outbound interface of the packet, that is, the external network interface, and obtains the second security zone to which the external network interface of the interface is added.
第二获取子单元 22 , 用于当 文为外部网络通过 VLANI F向 BSS 中的用 户终端发送的报文时, 获取报文的入接口即外部网络接口所加入的第二安全 区域, 根据报文的目的地址确定报文的出接口即 VLANIF, 获取出接口 VLANIF 所加入的第一安全区域。  The second obtaining sub-unit 22 is configured to: when the packet is sent by the external network to the user terminal in the BSS through the VLANIF, obtain the inbound interface of the packet, that is, the second security zone that is added by the external network interface, according to the packet. The destination address determines the outbound interface of the packet, that is, VLANIF, and obtains the first security zone to which the outbound VLANIF is added.
另外, 该 AP设备的报文处理单元 30具体用于: 当判断报文符合第一安 全区域和第二安全区域间的安全策略的要求时,转发报文到报文的目的地址; 否则不对报文进行处理。  In addition, the packet processing unit 30 of the AP device is specifically configured to: when determining that the packet meets the requirements of the security policy between the first security zone and the second security zone, forward the packet to the destination address of the packet; The text is processed.
本发明的实施例提供的上述系统和设备中 , 为不同的 BSS设置 VLANIF , 进行处理。 从而简便的实现了对不同 BSS的访问控制, P条低了系统的成本和 配置复杂度。 另夕卜, 通过设置不同的安全策略提高了访问控制的灵活度。  In the above system and device provided by the embodiment of the present invention, a VLANIF is set for different BSSs for processing. Thus, the access control to different BSSs is easily realized, and the P-bar reduces the cost and configuration complexity of the system. In addition, the flexibility of access control is improved by setting different security policies.
通过以上的实施方式的描述, 本领域的技术人员可以清楚地了解到本发 明可以通过硬件实现,也可以借助软件加必要的通用硬件平台的方式来实现。 基于这样的理解, 本发明的技术方案可以以软件产品的形式体现出来, 该软 件产品可以存储在一个非易失性存储介质 (可以是 CD- ROM, U盘, 移动硬盘 等) 中, 包括若干指令用以使得一台计算机设备(可以是个人计算机, 服务 器, 或者网络设备等)执行本发明各个实施例所述的方法。 Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by hardware or by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk). And the like, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments of the present invention.
以上公开的仅为本发明的几个具体实施例, 但是, 本发明并非局限于此, 任何本领域的技术人员能思之的变化都应落入本发明的保护范围。  The above disclosure is only a few specific embodiments of the present invention, but the present invention is not limited thereto, and any changes that can be considered by those skilled in the art should fall within the protection scope of the present invention.

Claims

权 利 要 求 书 Claim
1、 一种无线服务网络中报文的处理方法, 其特征在于, 应用于配置有多 个无线服务网络的接入点 AP设备中, 每个所述无线服务网络通过基本服务集 BSS进行区分, 每个 BSS配置有不同的虚拟局域网接口 VLANIF, 所述方法包括: 接收 BSS中的所述 VLANIF与外部网络接口之间交互的报文;  A method for processing a message in a wireless service network, characterized in that, in an access point AP device configured with multiple wireless service networks, each of the wireless service networks is distinguished by a basic service set BSS, Each BSS is configured with a different virtual local area network (VLANIF) VLANIF, and the method includes: receiving a message exchanged between the VLANIF and an external network interface in the BSS;
获取所述 VLANIF所加入的第一安全区域、 以及所述外部网络接口所加入 的第二安全区域;  Obtaining a first security zone to which the VLANIF is added, and a second security zone to which the external network interface is added;
根据所述第一安全区域和所述第二安全区域间的安全策略对所述报文进 行处理。  The message is processed according to a security policy between the first security zone and the second security zone.
2、 如权利要求 1所述的方法, 其特征在于, 所述接收 BSS中的所述 VLANIF 与外部网络接口之间交互的报文前还包括:  The method according to claim 1, wherein the receiving the message between the VLANIF and the external network interface in the BSS further includes:
为多个所述 BSS分配虚拟局域网 VLAN, 并为每个 BSS创建相应的所述 VLANIF;  Allocating a virtual local area network VLAN to the plurality of BSSs, and creating corresponding VLANIFs for each BSS;
将所述 VLANIF加入特定的安全区域;  Add the VLANIF to a specific security zone;
设置所述 VLANI F加入的安全区域与所述外部网络接口加入的安全区域间 的安全策略。  Set a security policy between the security zone to which the VLANI F joins and the security zone to which the external network interface joins.
3、 如权利要求 1所述的方法, 其特征在于, 所述报文为 BSS中的用户终端 通过所述 VLANIF向外部网络发送的报文时, 所述获取所述 VLANIF所加入的第 一安全区域、 以及所述外部网络接口所加入的第二安全区域包括:  The method of claim 1, wherein the packet is the first security that the VLANIF joins when the user terminal sends the packet sent by the user terminal to the external network through the VLANIF. The area, and the second security area to which the external network interface joins include:
获取报文的入接口 VL AN I F所加入的第一安全区域;  Obtain the first security zone to which the inbound interface of the packet is added by VL AN I F;
根据所述报文的目的地址确定所述报文的出接口外部网络接口; 获取所述出接口外部网络接口所加入的第二安全区域。  And determining, according to the destination address of the packet, an external network interface of the outbound interface of the packet; and acquiring a second security zone that is added by the external network interface of the outbound interface.
4、 如权利要求 1所述的方法, 其特征在于, 所述报文为外部网络通过 VLANIF向 BSS中的用户终端发送的报文时,所述获取所述 VLANIF所加入的第一 安全区域、 以及所述外部网络接口所加入的第二安全区域包括:  The method according to claim 1, wherein, when the packet is a packet sent by the external network to the user terminal in the BSS through the VLANIF, the acquiring the first security zone to which the VLANIF is added, And the second security area added by the external network interface includes:
获取报文的入接口外部网络接口所加入的第二安全区域; 根据所述报文的目的地址确定所述报文的出接口 VLAN I F; 获取所述出接口 VLAN I F所加入的第一安全区域。 Obtaining the second security zone to which the external network interface of the inbound interface of the packet is added; The outbound interface VLAN IF of the packet is determined according to the destination address of the packet; and the first security zone to which the outbound interface VLAN IF is added is obtained.
5、 如权利要求 1或 2所述的方法, 其特征在于, 根据所述第一安全区域和 所述第二安全区域间的安全策略对所述报文进行处理包括:  The method according to claim 1 or 2, wherein processing the packet according to the security policy between the first security zone and the second security zone comprises:
判断所述 4艮文符合所述第一安全区域和所述第二安全区域间的安全策略 的要求时, 转发所述报文到所述报文的目的地址; 否则不对所述报文进行处 理。  Determining that the packet meets the requirements of the security policy between the first security zone and the second security zone, and forwarding the packet to the destination address of the packet; otherwise, the packet is not processed. .
6、 如权利要求 5所述的方法, 其特征在于, 所述安全策略包括预先设定 的过滤条件; 判断所述报文符合所述第一安全区域和所述第二安全区域间的 安全策略的要求包括: 根据所述安全策略中预先设定的过滤条件对报文进行 匹配, 匹配成功时判断所述报文符合所述第一安全区域和所述第二安全区域 间的安全策略的要求。  The method according to claim 5, wherein the security policy includes a preset filtering condition; determining that the packet meets a security policy between the first security zone and the second security zone The request includes: matching the packet according to the preset filtering condition in the security policy, and determining that the packet meets the requirements of the security policy between the first security zone and the second security zone when the matching succeeds .
7、 一种接入点 AP设备, 其特征在于, 所述 AP设备上配置有多个无线服务 网络, 每个所述无线服务网络通过基本服务集 BSS进行区分, 每个 BSS具有不 同的虚拟局域网接口 VLANIF, 所述 AP设备包括:  An access point AP device, wherein the AP device is configured with multiple wireless service networks, and each of the wireless service networks is distinguished by a basic service set BSS, and each BSS has a different virtual local area network. Interface VLANIF, the AP device includes:
报文接收单元,用于接收 BSS中的所述 VLAN I F与外部网络接口之间交互的 报文;  a message receiving unit, configured to receive a message exchanged between the VLAN I F and an external network interface in the BSS;
安全区域获取单元, 用于获取所述 VLANIF所加入的第一安全区域、 以及 所述外部网络接口所加入的第二安全区域;  a security area obtaining unit, configured to acquire a first security area to which the VLANIF is added, and a second security area to which the external network interface joins;
报文处理单元, 用于根据所述第一安全区域和所述第二安全区域间的安 全策略对所述报文进行处理。  And a packet processing unit, configured to process the packet according to a security policy between the first security zone and the second security zone.
8、 如权利要求 7所述的接入点 AP设备, 其特征在于, 还包括: 配置单元, 用于为多个 BSS分配虚拟局域网 VLAN, 并为每个 BSS创建相应 的 VLANIF, 将所述 VLAN IF加入特定的安全区域, 设置所述 VLAN IF加入的安全 区域与外部网络接口加入的安全区域间的安全策略。  The access point AP device according to claim 7, further comprising: a configuration unit, configured to allocate a virtual local area network VLAN to the plurality of BSSs, and create a corresponding VLANIF for each BSS, and the VLAN is The IF joins a specific security zone, and sets a security policy between the security zone to which the VLAN IF joins and the security zone to which the external network interface joins.
9、 如权利要求 7所述的接入点 AP设备, 其特征在于, 所述安全区域获取 单元包括: 9. The access point AP device of claim 7, wherein the secure area is acquired The unit includes:
第一获取子单元,用于当所述才艮文为 BSS中的用户终端通过 VLANIF向外部 网络发送的报文时, 获取报文的入接口 VLANIF所加入的第一安全区域, 根据 所述报文的目的地址确定所述报文的出接口外部网络接口, 获取所述出接口 外部网 口所加入的第二安全区域;  a first acquiring sub-unit, configured to: when the user terminal is a packet sent by the user terminal in the BSS to the external network through the VLANIF, obtain the first security zone to which the inbound interface VLANIF of the packet is added, according to the report The destination address of the packet determines the external network interface of the outbound interface of the packet, and obtains the second security zone to which the external network port of the outbound interface is added;
第二获取子单元,用于当所述 ^艮文为外部网络通过 VLANIF向 BSS中的用户 终端发送的报文时,获取报文的入接口外部网络接口所加入的第二安全区域, 根据所述报文的目的地址确定所述报文的出接口 VLANIF , 获取所述出接口 VLAN I F所加入的第一安全区域。  a second obtaining sub-unit, configured to: when the external network is a packet sent by the external network to the user terminal in the BSS through the VLANIF, obtain the second security area that is added by the external network interface of the inbound interface of the packet, The destination address of the packet determines the outbound interface VLANIF of the packet, and obtains the first security zone to which the outbound interface VLAN IF joins.
10、 如权利要求 7所述的接入点 AP设备, 其特征在于, 所述报文处理单元 具体用于:  The access point AP device according to claim 7, wherein the packet processing unit is specifically configured to:
当判断所述报文符合所述第一安全区域和第二安全区域间的安全策略的 要求时, 转发所述报文到所述报文的目的地址; 否则不对所述报文进行处理。  When it is determined that the packet meets the requirements of the security policy between the first security zone and the second security zone, the packet is forwarded to the destination address of the packet; otherwise, the packet is not processed.
11、 一种网络系统, 包括用户终端和接入点 AP设备, 其特征在于, 所述 AP设备上配置有多个无线服务网络, 每个所述无线服务网络通过基本服务集 BSS进行区分, 每个 BSS具有不同的虚拟局域网接口 VLANIF,  A network system, comprising a user terminal and an access point AP device, wherein the AP device is configured with multiple wireless service networks, and each of the wireless service networks is distinguished by a basic service set BSS, BSSs have different VLAN interfaces VLANIF,
所述用户终端, 用于接入 BSS并通过所述 BSS的 VLANIF将需要向外部网络 发送的报文向所述 AP设备发送 ,并接收所述 AP设备通过所述 BSS的 VLAN I F发送 的来自外部网络的报文;  The user terminal is configured to access a BSS and send, by using a VLANIF of the BSS, a packet that needs to be sent to an external network to the AP device, and receive, by the AP device, an external device that is sent by using a VLAN IF of the BSS. Network message;
所述 AP设备, 用于接收 BSS中的 VLANIF与外部网络接口之间交互的 艮文, 获取所述 VLANIF所加入的第一安全区域、 以及所述外部网络接口所加入的第 二安全区域, 根据所述第一安全区域和所述第二安全区域间的安全策略对所 述报文进行处理。  The AP device is configured to receive a message exchanged between the VLANIF and the external network interface in the BSS, obtain the first security zone to which the VLANIF is added, and the second security zone to which the external network interface joins, according to The security policy between the first security zone and the second security zone processes the packet.
12、 如权利要求 11所述的网络系统, 其特征在于, 所述 AP设备包括: 报文接收单元 , 用于接收 BSS中的 VLAN I F与外部网络接口之间交互的报 文; 安全区域获取单元, 用于获取所述 VLANIF所加入的第一安全区域、 以及 所述外部网络接口所加入的第二安全区域; The network system according to claim 11, wherein the AP device comprises: a message receiving unit, configured to receive a message exchanged between a VLAN IF and an external network interface in the BSS; a security area obtaining unit, configured to acquire a first security area to which the VLANIF is added, and a second security area to which the external network interface is added;
报文处理单元, 用于根据所述第一安全区域和所述第二安全区域间的安 全策略对所述报文进行处理。  And a packet processing unit, configured to process the packet according to a security policy between the first security zone and the second security zone.
PCT/CN2009/074105 2008-10-22 2009-09-22 Method, system and device for processing messages in wireless service network WO2010045833A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2008101676726A CN101374110B (en) 2008-10-22 2008-10-22 Method, system and equipment for processing packet of wireless service network
CN200810167672.6 2008-10-22

Publications (1)

Publication Number Publication Date
WO2010045833A1 true WO2010045833A1 (en) 2010-04-29

Family

ID=40448042

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/074105 WO2010045833A1 (en) 2008-10-22 2009-09-22 Method, system and device for processing messages in wireless service network

Country Status (2)

Country Link
CN (1) CN101374110B (en)
WO (1) WO2010045833A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101374110B (en) * 2008-10-22 2011-05-11 成都市华为赛门铁克科技有限公司 Method, system and equipment for processing packet of wireless service network
CN101714927B (en) * 2010-01-15 2012-04-18 福建伊时代信息科技股份有限公司 Network access control method for comprehensive safety management of inner network
CN101867620B (en) * 2010-07-02 2013-04-24 南京南瑞继保电气有限公司 Method for viewing pre-message through crossing security zone
CN102547708A (en) * 2012-02-22 2012-07-04 深圳市共进电子股份有限公司 Method for isolating wireless virtual access points
WO2014089770A1 (en) * 2012-12-12 2014-06-19 Telefonaktiebolaget L M Ericsson (Publ) Method and device for vlan interface routing
CN103795566A (en) * 2013-12-30 2014-05-14 马钢控制技术有限责任公司 Computer network system and control method thereof
CN106507414B (en) * 2016-10-12 2020-02-11 杭州迪普科技股份有限公司 Message forwarding method and device
CN106804045B (en) * 2016-12-30 2020-03-03 Oppo广东移动通信有限公司 Forwarding control method of broadcast message and access equipment
CN112804131B (en) * 2021-01-08 2021-12-07 上海自恒信息科技有限公司 Access control method based on VLAN structure

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030172142A1 (en) * 2002-03-11 2003-09-11 David Su Method for building a vapa by using wireless-LAN interface card
CN1567808A (en) * 2003-06-18 2005-01-19 联想(北京)有限公司 A network security appliance and realizing method thereof
WO2007111721A2 (en) * 2005-12-06 2007-10-04 Cisco Technology, Inc. Network client validation of network management frames
CN101170514A (en) * 2007-12-04 2008-04-30 华为技术有限公司 Method and device for access control between access circuit interfaces
CN101374110A (en) * 2008-10-22 2009-02-25 成都市华为赛门铁克科技有限公司 Method, system and equipment for processing packet of wireless service network

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100426794C (en) * 2005-10-11 2008-10-15 华为技术有限公司 Method for processing data stream between different fire-proof walls
CN100490408C (en) * 2005-11-24 2009-05-20 鸿富锦精密工业(深圳)有限公司 Access point and its method for establishment of wireless distribution system connection

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030172142A1 (en) * 2002-03-11 2003-09-11 David Su Method for building a vapa by using wireless-LAN interface card
CN1567808A (en) * 2003-06-18 2005-01-19 联想(北京)有限公司 A network security appliance and realizing method thereof
WO2007111721A2 (en) * 2005-12-06 2007-10-04 Cisco Technology, Inc. Network client validation of network management frames
CN101170514A (en) * 2007-12-04 2008-04-30 华为技术有限公司 Method and device for access control between access circuit interfaces
CN101374110A (en) * 2008-10-22 2009-02-25 成都市华为赛门铁克科技有限公司 Method, system and equipment for processing packet of wireless service network

Also Published As

Publication number Publication date
CN101374110B (en) 2011-05-11
CN101374110A (en) 2009-02-25

Similar Documents

Publication Publication Date Title
WO2010045833A1 (en) Method, system and device for processing messages in wireless service network
KR101528410B1 (en) Dynamic host configuration and network access authentication
KR100807652B1 (en) Framework of media-independent pre-authentication support for pana
CA2600760C (en) Security for mobile devices in a wireless network
JP4763700B2 (en) Dynamic and secure tunnel establishment method
EP1408653B1 (en) Enterprise wireless local area network switching system
EP1774750B1 (en) Method, apparatuses and computer readable medium for establishing secure end-to-end connections by binding IPSec Security Associations
EP2574101B1 (en) Method and device for automatically switching networks, wireless access device and intermediate device
US9577984B2 (en) Network initiated alerts to devices using a local connection
JP2005518117A (en) How to initiate a connection through a firewall and NAT
JP2007518356A (en) Public access point
JP2008206102A (en) Mobile communication system using mesh-type wireless lan
KR101083088B1 (en) System and method for providing a roaming and security function for VoIP service over VoWLAN system
JP2010028295A (en) Vpn server, communication control method, and program
Dolev et al. Exploiting simultaneous usage of different wireless interfaces for security and mobility
Chin et al. Seamless Connectivity to Wireless Local Area Networks.
Dalghan et al. WISEC: VPN Over WLAN 802.11: Design and Implementation of a Secure Virtual Wireless Environment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09821554

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09821554

Country of ref document: EP

Kind code of ref document: A1