WO2012051868A1 - Firewall policy distribution method, client, access server and system - Google Patents

Firewall policy distribution method, client, access server and system Download PDF

Info

Publication number
WO2012051868A1
WO2012051868A1 PCT/CN2011/075986 CN2011075986W WO2012051868A1 WO 2012051868 A1 WO2012051868 A1 WO 2012051868A1 CN 2011075986 W CN2011075986 W CN 2011075986W WO 2012051868 A1 WO2012051868 A1 WO 2012051868A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
access
firewall
firewall policy
response
Prior art date
Application number
PCT/CN2011/075986
Other languages
French (fr)
Chinese (zh)
Inventor
万齐根
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012051868A1 publication Critical patent/WO2012051868A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to the field of communications, and in particular to a firewall policy distribution method, a client, an access server, and a system.
  • a firewall policy generally refers to restricting a user's access to certain information items or restricting the use of certain control functions by a user according to the user identity and the predefined domain to which the user belongs, so as to achieve the purpose of controlling the user network access control. rule.
  • a primary object of the present invention is to provide a firewall policy distribution method, a client, an access server, and a system to at least solve the above problem of inconvenient distribution of firewall policies and requiring additional resources.
  • a firewall policy distribution method including: a client sends an access protocol packet to an access server, where the access protocol packet carries a firewall policy configuration request message; The response message sent by the access server in response to the access protocol message, where the response message carries the firewall policy configuration response information corresponding to the access authority of the client; the client configures the response information according to the firewall policy configuration. Its own firewall rules.
  • the method further includes: the access server acquiring the information of the client from the received access protocol packet, and determining, according to the information of the client, Client access rights, where the client information includes at least one of the following: media access control address MAC, carrier code, user classification code; access server will encapsulate the firewall policy configuration response information corresponding to the client's access rights In the response message, and sent to the client. Broadband access cut, negotiated for dynamic host configuration, and negotiate DHCP.
  • the access protocol packet is a dynamic host configuration protocol discovery packet or a dynamic host configuration protocol request packet.
  • the firewall policy configuration request information is encapsulated in an option of DHCP discovery or DHCP request.
  • the response message is a dynamic host.
  • the configuration of the configuration, the provision of the network or the configuration of the dynamic host, and the confirmation of the firewall policy configuration are encapsulated in the option of DHCP providing 4 or DHCP confirmation.
  • the client After the client configures its own firewall rules according to the firewall policy configuration response information, the client also includes: During a predetermined time interval, the client sends a firewall policy renewal request to the access server, wherein the firewall policy renews the lease.
  • the request message is used to request the access server to renew the firewall policy of the client; the client receives the firewall policy lease response message sent by the access server and responds to the firewall policy renewal request message; the client according to the firewall policy lease response report
  • the article extends its configured firewall rules or invalidates its configured firewall rules.
  • the broadband access protocol is the point-to-point protocol PPP.
  • the access protocol packet is a peer-to-peer IP control protocol PPP IPCP configuration request packet, and the firewall policy configuration request information is encapsulated in the option of the PPP IPCP configuration request.
  • the response message is a peer-to-peer IP control protocol PPP IPCP configuration response.
  • the firewall policy configuration response information is encapsulated in the PPP IPCP configuration response option.
  • a firewall policy distribution client including: a first sending module, configured to send an access protocol packet to an access server, where the access protocol packet carries a firewall policy
  • the first receiving module is configured to receive the response from the access server, where the response message carries the firewall policy configuration response information corresponding to the access right of the client; the firewall module is set according to the firewall.
  • the policy configuration response information configures the client's firewall rules.
  • a firewall policy distribution access server including: a second receiving module, configured to receive an access protocol message from a client, where the access protocol The packet carries the firewall policy configuration request information.
  • the second sending module is configured to send a response packet to the client in response to the access protocol packet, where the response packet carries a firewall policy corresponding to the access authority of the client.
  • Configuring the response information; the privilege module is configured to determine the access rights of the client according to the information of the client carried in the access protocol packet, where the information of the client is at least one of the following: MAC (Media Access Control) address information, Carrier Code Vendor ID, User Classification ID.
  • a firewall policy distribution system including: a client and an access server, where the client includes: a first sending module, configured to send an access protocol packet to the access server, The access protocol packet carries the firewall policy configuration request information.
  • the first receiving module is configured to receive the response packet from the access server.
  • the firewall module is configured to configure the firewall rule of the client according to the firewall policy configuration response information.
  • the access server includes: a second receiving module, configured to receive an access protocol message from the client; and a second sending module, configured to send a response to the client in response to the access to the tenth message.
  • the response module carries the firewall policy configuration response information corresponding to the client access right; the permission module is configured to determine the access authority of the client according to the information of the client carried in the access protocol packet, where the client information At least one of the following is included: MAC (Media Access Control) address information, carrier code Vendor ID, and user classification code User Classified ID.
  • MAC Media Access Control
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the invention.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the invention.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the invention.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the invention.
  • FIG. 1 is a flowchart of a firewall policy distribution method according to an embodiment of the present invention
  • FIG. 2 is a block diagram showing a firewall policy distribution client according to an embodiment of the present invention
  • FIG. 4 is a structural block diagram of a firewall policy distribution system according to an embodiment of the present invention
  • 5 is a schematic diagram of a firewall policy distribution of a DHCP protocol according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of a packet format of a firewall option of a DHCP protocol according to an embodiment of the present invention
  • FIG. 7 is a PPP diagram of an embodiment of the present invention
  • Schematic diagram of the firewall policy distribution of the protocol FIG.
  • FIG. 8 is a schematic diagram showing the format of the PPP IPCP Configuration Request data in the embodiment of the present invention
  • FIG. 9 is a schematic diagram showing the format of the PPP IPCP Configuration NAK data in the embodiment of the present invention
  • FIG. 10 is a schematic diagram showing the format of a PPP IPCP firewall option data according to an embodiment of the present invention.
  • each host In a TCP/IP network, each host must have access to the network, and must first perform network access, such as IP address, subnet mask, gateway, DNS (Domain Name System, domain name). System)
  • the configuration of these parameters is essential. These configuration information are carried in the option of the Broadband Access Protocol. For example, DHCP (Dynamic Host Configuration Protocol) Protocol, PPP IPCP (Point to point protocol Internet Protocol Control Protocol, 10 peer-to-peer discussions on the Internet 10 to control ten meetings).
  • the firewall policy information is encapsulated in the option options of the access protocols in a certain format. When the client network accesses, the access server automatically distributes the firewall policy to different through the broadband access protocol.
  • FIG. 1 is a flowchart of a method for distributing a firewall policy according to an embodiment of the present invention.
  • the method includes: Step S102: A client sends an access protocol packet to an access server, where an access protocol packet is used. Carrying firewall policy configuration request information.
  • Step S106 the client configures its own firewall rule according to the firewall policy configuration response information.
  • FIG. 2 is a block diagram showing a structure of a firewall policy distribution client according to an embodiment of the present invention.
  • the client 100 includes: a first sending module 102, a first receiving module 104, and a firewall module 106.
  • the first sending module 102 is connected to the first receiving module 104 and the firewall module 106, and the first sending module 102 is configured to send an access protocol packet to the access server, where the sent access protocol packet carries a firewall policy.
  • the first receiving module 104 is configured to receive the response message from the access server, where the response message carries the firewall policy configuration response information corresponding to the access authority of the client; the firewall module 106 and the first
  • the sending module 102 is connected to the first receiving module 104, and the firewall module 106 is configured to configure the firewall rules of the client by using the firewall policy configuration response information.
  • FIG. 3 is a structural block diagram of a firewall policy distribution access server according to an embodiment of the present invention.
  • the access server 200 includes: a second sending module 202, a second receiving module 204, and a rights module 206.
  • the second receiving module 204 is connected to the second sending module 202 and the privilege module 206, and the second receiving module 204 is configured to receive the access protocol packet from the client, where the access protocol packet carries the firewall policy configuration request information.
  • the second sending module 204 is configured to send a response message to the client in response to the access protocol message, where the response message carries firewall policy configuration response information corresponding to the access authority of the client;
  • the two sending module 202 is connected to the second receiving module 204.
  • the privilege module 206 is configured to determine the access authority of the client according to the MAC address information of the client encapsulated in the access protocol packet.
  • FIG. 4 is a structural block diagram of a firewall policy distribution system according to an embodiment of the present invention. As shown in FIG.
  • the distribution system includes: a client 100 and an access server 200 coupled to each other, where the client 100 includes: The module 102 is configured to send an access protocol packet to the access server 200, where the access protocol packet carries firewall policy configuration request information, and the first receiving module 104 is configured to receive the response packet from the access server 200.
  • the firewall module 106 is configured to configure the firewall rule of the client 100 according to the firewall policy configuration response information.
  • the access server 200 includes: a second receiving module 204 configured to receive an access protocol message from the client 100; and a second sending module 202 configured to send a response to the client 100 in response to the access protocol message
  • the firewall policy configuration request information and the firewall policy configuration response information are respectively encapsulated in the broadband access protocol packet and the response packet, so that the network configuration interaction process using the broadband access protocol will correspond to the client's authority.
  • the firewall policy is distributed to the client so that the client can automatically and dynamically configure its own firewall rules when broadband access is available.
  • FIG. 5 is a schematic diagram of a firewall policy distribution process of a DHCP protocol according to an embodiment of the present invention.
  • the terminal device includes a DHCP client and a firewall module, and the terminal device accesses the Internet through the DHCP mode.
  • the interaction process between the terminal device and the DHCP server is as shown in FIG. 5: Steps S502 to S508 are the negotiation phase of the DHCP, and the negotiation process is a prior art. , not described in detail here.
  • the DHCP Discovery message and the DHCP Request message in the Parameter Request List of the DHCP Client are carried in the firewall request to request the DHCP server to send firewall information. Support for firewall options, you can ignore the option.
  • the DHCP server After receiving the DHCP Discovery and DHCP Request messages, the DHCP server checks the parameter request list and sends the corresponding firewall information to the firewall field in a certain format.
  • the DHCP Request and DHCP ACK messages are sent to the DHCP client.
  • the DHCP client After receiving the DHCP ACK, the DHCP client parses the firewall option area data, and the parsed data is transmitted to the firewall module in step S510.
  • the firewall module executes the firewall rule on the terminal device, and the firewall rule is valid for half of the lease.
  • the DHCP client When the DHCP client is half of the lease time, the DHCP client sends a DHCP Request message to the DHCP server for renewal.
  • the DHCP server performs a lease response through the DHCP ACK in step S514. If the lease renewal is successful, the DHCP client notifies the message in step S516.
  • the firewall module extends the effective time of the corresponding firewall rule to half of the new lease time. If the lease renewal fails, the firewall rule is invalid, and the next round of DHCP interaction is performed.
  • the interaction steps are the same as the above steps.
  • the above-mentioned firewall renewal is performed in synchronization with the IP address renewal of the DHCP protocol in the actual application, but the firewall renewal option is added in the DHCP Request 4.
  • the DHCP Discovery message sent by the DHCP client carries the option55 option table.
  • the p parameter request table parameter request list, the parameter request list includes: ⁇ subnet mask (option 1), gateway router (option 3), i or server name server (option 6), Host name host name ( option 12 ), domain name domain name ( option 15 ), time server server ( option 4 ), carrier code Vendor ID (option 60 ), user classification code (User category ID (option 77),
  • a firewall option option (130) is added to the option list.
  • the DHCP server replies to the DHCP Offer 4, providing DHCP. The corresponding request information of the client.
  • the DCHP client level is judged by the source MAC address or the Vendor ID or the User Classified ID and other host information, and the firewall information of the corresponding option 130 is provided.
  • the firewall information of the corresponding option 130 is provided.
  • the DHCP Client After the DHCP Client receives the final ACK of the DHCP server, it will use the firewall in the DHCP option. Item information, dynamically configure client firewall
  • FIG. 6 shows a schematic diagram of the packet format of the DHCP protocol firewall options embodiment of the present invention, shown in Figure 6:
  • the DHCP firewall option code is 130, which is 0x82, which occupies one byte.
  • the signature can be any value that is not used in the range of 0-255 in the DHCP standard access protocol.
  • the DHCP firewall option can include both firewall pass and reject.
  • Two sub-options, the sub-option codes are 1 and 2, respectively, occupying one byte; the sub-option data length Len is 2 bytes; the firewall data is Len bytes.
  • the source address/subnet mask is 5 bytes
  • the port number is 2 bytes
  • the protocol is 2 bytes
  • the destination address/subnet mask is 5 bytes.
  • the length is 14 bytes.
  • the IP address/subnet mask data is in a format similar to 192.168.1.0/24.
  • a certain data area such as source address/subnet mask, port number, protocol or destination port/subnet mask area is all 0, it means that it corresponds to any value, that is, any source address.
  • Subnet mask, any port number, any protocol, any destination port/subnet mask if a certain data area, such as source address/subnet mask, port number, protocol or destination port/subnet mask area is all 0, it means that it corresponds to any value, that is, any source address. / Subnet mask, any port number, any protocol, any destination port/subnet mask.
  • each sub-option of the DHCP firewall can contain multiple consecutive rules, and the sub-option data length must be an integer multiple of 14 bytes.
  • the firewall option is placed at the end of all DHCP options with the DHCP option terminator "Oxff".
  • Figure 7 shows the firewall policy distribution of the PPP protocol according to the embodiment of the present invention.
  • the implementation of the PPP protocol includes two phases of LCP (Link Control). Protocol, Link Control Protocol and NCP (Network Control Protocol) phase, the network configuration is reflected in the NCP phase, and the configuration of parameters such as DNS, WINS (Windows Internet Naming Server, Windows Internet Naming Server)
  • the firewall policy for this example is distributed by adding two firewall options to the PPP client request: filter ( Accept ) 141 and filter ( DROP ) 142.
  • the firewall options are 2 in length, including the option code and the length field.
  • the PPP server judges the PPP client level by the source MAC address information, account information and other host information, and sends a PPP IPCP configuration NAK packet to the corresponding firewall.
  • Option information information format includes signature, length, and firewall data.
  • Step S702 The LCP negotiates, and the content of the negotiation includes an option defined in the RFC (Request For Comments) 1661.
  • Step S704 after the LCP negotiation, the establishment phase is established, and the PAP (Password) is started.
  • the PAP is a two-way handshake authentication and the password is plain text.
  • the PAP authentication process is as follows: Send the user name with the password to the authenticator. The authenticator checks whether the user has the password, and then sends the corresponding response.
  • CHAP is a three-way handshake authentication, and the password is ciphertext (key).
  • the CHAP authentication is sent by the authenticator to randomly generate 4 , documents, which are given to be authenticated.
  • the authenticated party encrypts the ciphertext with its own password using the MD5 (Message Digest Algorithm 5) algorithm, and the Authenticator encrypts the password and the random packet with the MD5 algorithm.
  • MD5 Message Digest Algorithm 5
  • step S706 the network phase negotiation (NCP) is performed when the authentication succeeds, and the IPCP negotiation (such as the negotiation of the IP address and the DNS address, etc.) is mainly performed in the IP access.
  • NCP network phase negotiation
  • IPCP negotiation such as the negotiation of the IP address and the DNS address, etc.
  • This embodiment adds firewall negotiation at this stage.
  • Step S708 according to the result of the negotiation, the configuration of the firewall, and of course, the configuration of parameters such as an IP address and a DNS.
  • Step S710 if the negotiation is successful, the link is established, and the network layer data packet can be transmitted.
  • FIG. 8 is a schematic diagram showing the format of the PPP IPCP Configuration Request data in the embodiment of the present invention, as shown in FIG.
  • the signature of the ⁇ is 0x01, and the ⁇ is PPP IPCP configuration Request 4 ; ⁇ ;
  • the code is followed by the IP address option Option 1 (IP Address);
  • Option 129 is the primary DNS address option;
  • option 131 is the alternate DNS address option; the above options are consistent with the existing PPP IPCP protocol standard (refer to RFC 1877)own
  • the option 141 and option 142 firewall options are added.
  • the option number of the firewall option may be any value not used in the PPP access protocol; where option 141 represents a firewall accept option and option 142 represents a firewall.
  • the option 141 and option 142 options both include the signature ( ) field and the length ( Len ) field.
  • the code and Len fields are 2 bytes in total.
  • FIG 9 shows the PPP IPCP Config of the embodiment of the present invention.
  • the feature code is 0x03 for the IPCP configuration NAK 4 ⁇ , and the signature code is followed by the configuration data field, for example, the IP Address field, the primary DNS address field, and the alternate DNS address i or.
  • Option 141 and option 142 firewall option data i or and include the length of the respective option.
  • the data format of the firewall option area is: firewall option signature 1 byte (141 or 142), suboption data length 1 byte, and firewall data Len-2 bytes.
  • FIG. 10 is a schematic diagram showing the format of the PPP IPCP firewall option data in the embodiment of the present invention. As shown in FIG. 10, the specific format of the firewall data option is as follows: The firewall data is the source address/subnet mask (5) Byte), Port number (2 bytes), Protocol (2 bytes), Destination address/Subnet mask (5 bytes), 14 bytes total.
  • the IP address/subnet mask data is similar to the 192.168.1.0/24 format.
  • the firewall option data length Len-2 must be an integer multiple of 14.
  • the firewall option can contain multiple consecutive rules, firewall option data, and some data. For example, if the source address/subnet mask, port number, protocol, or destination port/subnet mask area is all 0, it means that it corresponds to any value, that is, any source address/subnet mask, any port number. , any protocol, any destination port/subnet mask.
  • the access server can manage the access of the broadband access client to the special service by: the broadband access protocol i3 ⁇ 4J server side will have special services (such as MSN, QQ, P2P, special website, etc.)
  • the common server address is filled in with the destination IP address of the response message.
  • the common port is filled in the port number area, and the protocol is filled in the protocol area.
  • the firewall option code is 0x82. If the server does not have firewall option data, it means that these services are allowed by default, and if the server has a firewall rejection option (DROP), it means to reject these services.
  • the automatic configuration of the firewall policy in the foregoing embodiment includes the access control of the access layer to the upper layer network, and the access of the downstream device to the access end.
  • the access terminal needs to allocate an address to the downstream, and the server replies with a single source IP address or a source IP address range in the address pool to fill the source IP address field; the client configures according to the reply packet.
  • Single-user or single-address access to the access end to achieve the purpose of controlling multi-user shared Internet access.
  • the network configuration process of the broadband access protocol is used to distribute the firewall policy, and the firewall rules of different levels of clients are dynamically configured when the client accesses the broadband, and the firewall policy can be conveniently implemented. Distribution can save resources.
  • a simple method for opening and closing a specific service is also provided. And control the client's system to support the capacity of the access host, providing a way to control multi-user shared Internet access.
  • modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.

Abstract

The present invention discloses a firewall policy distribution method, client, access server and system for broadband access protocols. The firewall policy distribution method includes: a client sends access protocol messages to an access server, wherein the access protocol messages carry the firewall policy configuration request information (S102); the client receives response messages which respond to the access protocol messages and are sent from the access server, wherein the response messages carry the firewall policy configuration response information corresponding to the access authority of the client (S104); and the client configures firewall rules of itself according to the firewall policy configuration response information (S106). The present invention realizes the distribution of firewall policies by utilizing network configuration interaction processes of the broadband access protocols and enables a client to configure the firewall rules of itself dynamically. With the utilization of the current broadband access protocols, the distribution of the firewall policies is very convenient and distribution resources are saved.

Description

防火墙策略分发方法、 客户端、 接^^务器及系统 技术领域 本发明涉及通信领域, 具体而言, 涉及一种防火墙策略分发方法、客户端、 接入月艮务器及系统。 背景技术 防火墙策略, 一般是指按用户身份及其所归属的预定义域来限制用户对某 些信息项的访问或限制用户对某些控制功能的使用, 以达到对用户网络访问控 制的目的防火墙规则。 目前网络运维中对宽带接入客户端的访问控制的方案主要有以下两种: 1 ) 通过网管软件, 利用 Tr069 (广 i或网管理协议), SNMP ( Simple Network Management Protocol , 简单网络管理协议) 等网管协议进行手动配置各个不同 级别, 不同预定义域客户端的访问控制列表 2 ) 单独架设防火墙策略分发月艮务 器, 接入客户端内置通道和服务器通信, 获取防火墙的信息, 或者服务器推送 防火墙策略。 上述的两种方案都存在一些不足: 第一种方案比较费时费力, 全程都需要 人工操作; 第二种方案则需要额外资源消耗, 如防火墙策略分发服务器, 客户 端软件必须建立内置通道等。 发明内容 本发明的主要目的在于提供一种防火墙策略分发方法、 客户端、 接入月艮务 器及系统, 以至少解决上述的防火墙策略分发不方便以及需要额外资源的问 题。 根据本发明的一个方面, 提供了一种防火墙策略分发方法, 包括: 客户端 向接入服务器发送接入协议报文, 其中, 接入协议报文中携带有防火墙策略配 置请求信息; 客户端接收接入服务器发送的响应于接入协议报文的响应报文, 其中, 响应 4艮文中携带有与客户端的访问权限相对应的防火墙策略配置响应信 息; 客户端才艮据防火墙策略配置响应信息配置自身的防火墙规则。 在客户端接收接入服务器发送的响应于接入协议报文的响应报文之前, 方 法还包括: 接入服务器从所接收到的接入协议报文获取客户端的信息, 并根据 客户端的信息确定客户端的访问权限, 其中客户端的信息至少包括以下一种: 介质访问控制地址 MAC、 运营商代码、 用户分类代码; 接入月艮务器将与客户 端的访问权限相对应的防火墙策略配置响应信息封装在响应报文中, 并发送至 客户端。 宽带接入切、议为动态主机配置切、议 DHCP。 接入协议报文为动态主机配置协议发现报文或动态主机配置协议请求报 文,防火墙策略配置请求信息封装在 DHCP发现 4艮文或 DHCP请求 4艮文的选项 中; 响应 艮文为动态主机配置切、议提供艮文或动态主机配置切、议确认艮文, 防 火墙策略配置响应信息封装在 DHCP提供 4艮文或 DHCP确认 4艮文的选项中。 在客户端才艮据防火墙策略配置响应信息配置自身的防火墙规则之后还包 括: 在预定时间间隔内, 客户端向接入月艮务器发送防火墙策略续租请求 4艮文, 其中防火墙策略续租请求报文用于向接入服务器请求续租客服端的防火墙策 略; 客户端接收接入服务器发送的响应于防火墙策略续租请求报文的防火墙策 略租约响应报文; 客户端根据防火墙策略租约响应报文延长自身已配置的防火 墙规则或使自身已配置的防火墙规则失效。 宽带接入协议为点对点协议 PPP。 接入协议报文为点对点 IP控制协议 PPP IPCP配置请求报文, 防火墙策略 配置请求信息封装在 PPP IPCP配置请求 4艮文的选项中; 响应 4艮文为点对点 IP 控制协议 PPP IPCP配置响应 4艮文, 防火墙策略配置响应信息封装在 PPP IPCP 配置响应 4艮文的选项中。 根据本发明的另一方面, 提供了一种防火墙策略分发客户端, 包括: 第一 发送模块, 设置为向接入服务器发送接入协议报文, 其中, 接入协议报文中携 带有防火墙策略配置请求信息; 第一接收模块, 设置为接收来自接入服务器的 响应 4艮文, 其中响应 4艮文中携带有与客户端的访问权限相对应的防火墙策略配 置响应信息; 防火墙模块, 设置为根据防火墙策略配置响应信息配置客户端的 防火墙规则。 根据本发明的又一方面, 提供了一种防火墙策略分发接入服务器, 包括: 第二接收模块, 设置为接收来自客户端的接入协议报文, 其中, 所述接入协议 报文中携带有防火墙策略配置请求信息; 第二发送模块, 设置为向客户端发送 响应报文以响应接入协议报文, 其中响应报文中携带有与客户端的访问权限相 对应的防火墙策略配置响应信息; 权限模块, 设置为根据接入协议报文中携带 的客户端的信息确定客户端的访问权限, 其中客户端的信息至少为以下一种: MAC ( Media Access Control ,媒体访问控制)地址信息、运营商代码 Vendor ID、 用户分类代码 User Classified ID。 根据本发明的再一方面, 提供了一种防火墙策略分发系统, 包括: 客户端 和接入服务器, 其中, 客户端包括: 第一发送模块, 设置为向接入服务器发送 接入协议报文, 其中, 接入协议报文中携带有防火墙策略配置请求信息; 第一 接收模块, 设置为接收来自接入服务器的响应报文; 防火墙模块, 设置为根据 防火墙策略配置响应信息配置客户端的防火墙规则。 接入艮务器包括: 第二接 收模块, 设置为接收来自客户端的接入协议报文; 第二发送模块, 设置为向客 户端发送响应于接入十办议 4艮文的响应 4艮文, 其中响应 4艮文中携带有与客户端访 问权限相对应的防火墙策略配置响应信息; 权限模块, 设置为根据接入协议报 文中所携带的客户端的信息确定客户端的访问权限, 其中客户端的信息至少包 括以下一种: MAC ( Media Access Control, 媒体访问控制)地址信息、 运营商 代码 Vendor ID、 用户分类代码 User Classified ID。 通过本发明, 利用宽带接入协议的网络配置交互流程, 接入服务器将与客 户端的权限相应的防火墙策略分发给客户端, 使得客户端可以在宽带接入时, 自动动态地配置自身的防火墙规则。 由于利用了现有的宽带接入协议, 使得防 火墙策略的分发非常方便, 并且节省分发资源。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部 分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的不 当限定。 在附图中: 图 1示出了本发明实施例的防火墙策略分发方法流程图; 图 2示出了本发明实施例的防火墙策略分发客户端结构框图; 图 3示出了本发明实施例的防火墙策略分发接入服务器结构框图; 图 4示出了本发明实施例的防火墙策略分发系统结构框图; 图 5示出了本发明实施例的 DHCP协议的防火墙策略分发示意图; 图 6示出了本发明实施例的 DHCP协议的防火墙选项的报文格式示意图; 图 7示出了本发明实施例的 PPP协议的防火墙策略分发示意图; 图 8示出了本发明实施例的 PPP IPCP Configuration Request数据 4艮文格式 示意图; 图 9示出了本发明实施例的 PPP IPCP Configuration NAK数据 4艮文格式示 意图; 以及 图 10示出了本发明实施例的 PPP IPCP防火墙选项数据 4艮文格式示意图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在不 冲突的情况下, 本申请中的实施例及实施例中的特征可以相互组合。 在 TCP/IP 网络中, 每台主机若要能访问网络上的资源, 首先必须进行网 络接入, 执行基本的网络配置, 诸如 IP地址、 子网掩码、 网关、 DNS ( Domain Name System, 域名系统) 月艮务器等这些参数的配置是必不可少, 这些配置信 息都在宽带接入协议 4艮文中的 option选项中携带, 例如, DHCP ( Dynamic Host Configuration Protocol, 动态主机配置十办议) 协议、 PPP IPCP ( Point to point protocol Internet Protocol Control Protocol, 点对点十办议因特网十办议控制十办议 )十办 议。 在本发明的实施例中, 防火墙策略信息将按一定格式封装在这些接入协议 的 option选项中, 在客户端网络接入时, 接入服务器端通过宽带接入协议自动 将防火墙策略分发给不同级别, 不同预定义域的用户, 使得防火墙策略的分发 更直接和方便。 图 1示出了本发明实施例的防火墙策略分发方法流程图, 如图 1所示, 包 括: 步骤 S 102, 客户端向接入服务器发送接入协议报文, 其中, 接入协议报文 中携带有防火墙策略配置请求信息。 步骤 S 104, 客户端接收接入服务器发送的响应于接入协议报文的响应报 文, 其中, 响应 4艮文中携带有与客户端的访问权限相对应的防火墙策略配置响 应信息。 步骤 S 106, 客户端才艮据防火墙策略配置响应信息配置自身的防火墙规则。 在上述方法中, 通过利用宽带接入协议的网络配置交互流程, 接入月艮务器 将与客户端的权限相应的防火墙策略分发给客户端, 使得客户端可以在宽带接 入时, 自动动态地配置自身的防火墙规则。 由于利用了现有的宽带接入协议, 使得防火墙策略的分发非常方便, 并且节省分发资源。 图 2示出了本发明实施例的防火墙策略分发客户端结构框图,如图 2所示, 该客户端 100包括: 第一发送模块 102、 第一接收模块 104和防火墙模块 106。 第一发送模块 102分别与第一接收模块 104和防火墙模块 106相连, 第一发送 模块 102设置为向接入服务器发送接入协议报文, 在所发送的接入协议报文中 携带有防火墙策略配置请求信息; 第一接收模块 104设置为接收来自接入服务 器的响应 4艮文, 其中响应 4艮文中携带有与客户端的访问权限相对应的防火墙策 略配置响应信息;防火墙模块 106分别与第一发送模块 102和第一接收模块 104 相连, 防火墙模块 106设置为 居防火墙策略配置响应信息配置客户端的防火 墙规则。 通过上述的客户端, 在接入协议报文中携带有防火墙策略配置请求信息, 从而利用宽带接入协议的网络配置交互流程实现防火墙策略的分发, 使得客户 端可以自动动态地配置自身的防火墙规则。 由于利用了现有的宽带接入协议, 使得防火墙策略的分发非常方便, 并且节省分发资源。 图 3示出了本发明实施例的防火墙策略分发接入服务器结构框图, 如图 3 所示, 该接入服务器 200包括: 第二发送模块 202、 第二接收模块 204和权限 模块 206。 第二接收模块 204分别与第二发送模块 202和权限模块 206相连, 第二接收模块 204设置为接收来自客户端的接入协议报文, 其中, 接入协议报 文中携带有防火墙策略配置请求信息; 第二发送模块 204设置为向客户端发送 响应报文以响应接入协议报文, 其中响应报文中携带有与客户端的访问权限相 对应的防火墙策略配置响应信息; 权限模块 206分别与第二发送模块 202和第 二接收模块 204相连, 权限模块 206设置为根据接入协议报文中封装的客户端 的 MAC地址信息确定客户端的访问权限。 通过上述接入服务器, 将与客户端的访问权限相对应的防火墙策略配置响 应信息封装在接入协议 4艮文的响应 4艮文中, 从而利用宽带接入协议的网络配置 交互流程实现防火墙策略的分发, 使得客户端可以自动动态地配置自身的防火 墙规则。 由于利用了现有的宽带接入协议, 使得防火墙策略的分发非常方便, 并且节省分发资源。 图 4示出了本发明实施例的防火墙策略分发系统结构框图, 如图 4所示, 该分发系统包括: 相互耦合的客户端 100和接入服务器 200 , 其中, 客户端 100 包括: 第一发送模块 102 , 设置为向接入服务器 200发送接入协议报文, 其中, 接入协议报文中携带有防火墙策略配置请求信息; 第一接收模块 104 , 设置为 接收来自接入服务器 200的响应报文; 防火墙模块 106 , 设置为根据防火墙策 略配置响应信息配置客户端 100的防火墙规则。 接入艮务器 200包括: 第二接 收模块 204 , 设置为接收来自客户端 100的接入协议报文; 第二发送模块 202 , 设置为向客户端 100发送响应于接入协议报文的响应报文, 其中响应报文中携 带有与客户端 100 的访问权限相对应的防火墙策略配置响应信息; 权限模块 206 ,设置为根据客户端 100的 MAC地址信息确定客户端 100的网络访问权限。 通过上述分发系统, 将防火墙策略配置请求信息和防火墙策略配置响应信 息分别封装在宽带接入协议报文和响应报文中, 从而利用宽带接入协议的网络 配置交互流程将与客户端的权限相应的防火墙策略分发给客户端, 使得客户端 可以在宽带接入时, 自动动态地配置自身的防火墙规则。 由于利用了现有的宽 带接入协议, 使得防火墙策略的分发非常方便, 并且节省分发资源。 图 5示出了本发明实施例的 DHCP协议的防火墙策略分发流程示意图。终 端设备包括 DHCP Client和防火墙模块,终端设备通过 DHCP方式接入 Internet, 终端设备与 DHCP Server的交互流程如图 5所示: 步骤 S502至步骤 S508为 DHCP的协商阶段, 该协商过程为现有技术, 在 此不详细描述。 所不同的是, 在本实施例中, 在 DHCP Client 发送的 DHCP Discovery 4艮文和 DHCP Request 4艮文的 Parameter Request List中携带有防火墙 选项, 以请求 DHCP Server下发防火墙信息, 如果 DHCP Server不支持防火墙 选项, 可以忽略 选项。 The present invention relates to the field of communications, and in particular to a firewall policy distribution method, a client, an access server, and a system. BACKGROUND A firewall policy generally refers to restricting a user's access to certain information items or restricting the use of certain control functions by a user according to the user identity and the predefined domain to which the user belongs, so as to achieve the purpose of controlling the user network access control. rule. At present, there are two main schemes for access control of broadband access clients in network operation and maintenance: 1) Using network management software, using Tr069 (wide IP or network management protocol), SNMP (Simple Network Management Protocol) The network management protocol is used to manually configure the access control lists of different pre-defined domain clients. 2) Separately set up a firewall policy distribution server, access the client built-in channel and server communication, obtain firewall information, or server push firewall. Strategy. The above two solutions have some shortcomings: The first solution is time-consuming and labor-intensive, and the whole process requires manual operation; the second solution requires additional resource consumption, such as a firewall policy distribution server, and the client software must establish a built-in channel. SUMMARY OF THE INVENTION A primary object of the present invention is to provide a firewall policy distribution method, a client, an access server, and a system to at least solve the above problem of inconvenient distribution of firewall policies and requiring additional resources. According to an aspect of the present invention, a firewall policy distribution method is provided, including: a client sends an access protocol packet to an access server, where the access protocol packet carries a firewall policy configuration request message; The response message sent by the access server in response to the access protocol message, where the response message carries the firewall policy configuration response information corresponding to the access authority of the client; the client configures the response information according to the firewall policy configuration. Its own firewall rules. Before the client receives the response packet sent by the access server and responds to the access protocol packet, the method further includes: the access server acquiring the information of the client from the received access protocol packet, and determining, according to the information of the client, Client access rights, where the client information includes at least one of the following: media access control address MAC, carrier code, user classification code; access server will encapsulate the firewall policy configuration response information corresponding to the client's access rights In the response message, and sent to the client. Broadband access cut, negotiated for dynamic host configuration, and negotiate DHCP. The access protocol packet is a dynamic host configuration protocol discovery packet or a dynamic host configuration protocol request packet. The firewall policy configuration request information is encapsulated in an option of DHCP discovery or DHCP request. The response message is a dynamic host. The configuration of the configuration, the provision of the network or the configuration of the dynamic host, and the confirmation of the firewall policy configuration are encapsulated in the option of DHCP providing 4 or DHCP confirmation. After the client configures its own firewall rules according to the firewall policy configuration response information, the client also includes: During a predetermined time interval, the client sends a firewall policy renewal request to the access server, wherein the firewall policy renews the lease. The request message is used to request the access server to renew the firewall policy of the client; the client receives the firewall policy lease response message sent by the access server and responds to the firewall policy renewal request message; the client according to the firewall policy lease response report The article extends its configured firewall rules or invalidates its configured firewall rules. The broadband access protocol is the point-to-point protocol PPP. The access protocol packet is a peer-to-peer IP control protocol PPP IPCP configuration request packet, and the firewall policy configuration request information is encapsulated in the option of the PPP IPCP configuration request. The response message is a peer-to-peer IP control protocol PPP IPCP configuration response. The firewall policy configuration response information is encapsulated in the PPP IPCP configuration response option. According to another aspect of the present invention, a firewall policy distribution client is provided, including: a first sending module, configured to send an access protocol packet to an access server, where the access protocol packet carries a firewall policy The first receiving module is configured to receive the response from the access server, where the response message carries the firewall policy configuration response information corresponding to the access right of the client; the firewall module is set according to the firewall. The policy configuration response information configures the client's firewall rules. According to still another aspect of the present invention, a firewall policy distribution access server is provided, including: a second receiving module, configured to receive an access protocol message from a client, where the access protocol The packet carries the firewall policy configuration request information. The second sending module is configured to send a response packet to the client in response to the access protocol packet, where the response packet carries a firewall policy corresponding to the access authority of the client. Configuring the response information; the privilege module is configured to determine the access rights of the client according to the information of the client carried in the access protocol packet, where the information of the client is at least one of the following: MAC (Media Access Control) address information, Carrier Code Vendor ID, User Classification ID. According to a further aspect of the present invention, a firewall policy distribution system is provided, including: a client and an access server, where the client includes: a first sending module, configured to send an access protocol packet to the access server, The access protocol packet carries the firewall policy configuration request information. The first receiving module is configured to receive the response packet from the access server. The firewall module is configured to configure the firewall rule of the client according to the firewall policy configuration response information. The access server includes: a second receiving module, configured to receive an access protocol message from the client; and a second sending module, configured to send a response to the client in response to the access to the tenth message. The response module carries the firewall policy configuration response information corresponding to the client access right; the permission module is configured to determine the access authority of the client according to the information of the client carried in the access protocol packet, where the client information At least one of the following is included: MAC (Media Access Control) address information, carrier code Vendor ID, and user classification code User Classified ID. Through the invention, the network configuration interaction process of the broadband access protocol is used, and the access server distributes the firewall policy corresponding to the client's authority to the client, so that the client can automatically and dynamically configure its own firewall rule when the broadband access is performed. . The use of existing broadband access protocols makes the distribution of firewall policies very convenient and saves distribution resources. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the drawings: FIG. 1 is a flowchart of a firewall policy distribution method according to an embodiment of the present invention; FIG. 2 is a block diagram showing a firewall policy distribution client according to an embodiment of the present invention; FIG. 4 is a structural block diagram of a firewall policy distribution system according to an embodiment of the present invention; 5 is a schematic diagram of a firewall policy distribution of a DHCP protocol according to an embodiment of the present invention; FIG. 6 is a schematic diagram of a packet format of a firewall option of a DHCP protocol according to an embodiment of the present invention; FIG. 7 is a PPP diagram of an embodiment of the present invention; Schematic diagram of the firewall policy distribution of the protocol; FIG. 8 is a schematic diagram showing the format of the PPP IPCP Configuration Request data in the embodiment of the present invention; FIG. 9 is a schematic diagram showing the format of the PPP IPCP Configuration NAK data in the embodiment of the present invention; FIG. 10 is a schematic diagram showing the format of a PPP IPCP firewall option data according to an embodiment of the present invention. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. In a TCP/IP network, each host must have access to the network, and must first perform network access, such as IP address, subnet mask, gateway, DNS (Domain Name System, domain name). System) The configuration of these parameters is essential. These configuration information are carried in the option of the Broadband Access Protocol. For example, DHCP (Dynamic Host Configuration Protocol) Protocol, PPP IPCP (Point to point protocol Internet Protocol Control Protocol, 10 peer-to-peer discussions on the Internet 10 to control ten meetings). In the embodiment of the present invention, the firewall policy information is encapsulated in the option options of the access protocols in a certain format. When the client network accesses, the access server automatically distributes the firewall policy to different through the broadband access protocol. Levels, users of different predefined domains, make the distribution of firewall policies more direct and convenient. FIG. 1 is a flowchart of a method for distributing a firewall policy according to an embodiment of the present invention. As shown in FIG. 1, the method includes: Step S102: A client sends an access protocol packet to an access server, where an access protocol packet is used. Carrying firewall policy configuration request information. Step S104: The client receives the response packet sent by the access server and responds to the access protocol packet, where the response message carries the firewall policy configuration response information corresponding to the access authority of the client. Step S106, the client configures its own firewall rule according to the firewall policy configuration response information. In the above method, by using the network configuration interaction process of the broadband access protocol, the access server distributes the firewall policy corresponding to the client's authority to the client, so that the client can automatically and dynamically during the broadband access. Configure your own firewall rules. The use of existing broadband access protocols makes the distribution of firewall policies very convenient and saves distribution resources. FIG. 2 is a block diagram showing a structure of a firewall policy distribution client according to an embodiment of the present invention. As shown in FIG. 2, the client 100 includes: a first sending module 102, a first receiving module 104, and a firewall module 106. The first sending module 102 is connected to the first receiving module 104 and the firewall module 106, and the first sending module 102 is configured to send an access protocol packet to the access server, where the sent access protocol packet carries a firewall policy. The first receiving module 104 is configured to receive the response message from the access server, where the response message carries the firewall policy configuration response information corresponding to the access authority of the client; the firewall module 106 and the first The sending module 102 is connected to the first receiving module 104, and the firewall module 106 is configured to configure the firewall rules of the client by using the firewall policy configuration response information. Through the above-mentioned client, the firewall protocol configuration request information is carried in the access protocol packet, so that the firewall configuration is distributed by using the network configuration interaction process of the broadband access protocol, so that the client can automatically and dynamically configure its own firewall rule. . The use of existing broadband access protocols makes the distribution of firewall policies very convenient and saves distribution resources. FIG. 3 is a structural block diagram of a firewall policy distribution access server according to an embodiment of the present invention. As shown in FIG. 3, the access server 200 includes: a second sending module 202, a second receiving module 204, and a rights module 206. The second receiving module 204 is connected to the second sending module 202 and the privilege module 206, and the second receiving module 204 is configured to receive the access protocol packet from the client, where the access protocol packet carries the firewall policy configuration request information. The second sending module 204 is configured to send a response message to the client in response to the access protocol message, where the response message carries firewall policy configuration response information corresponding to the access authority of the client; The two sending module 202 is connected to the second receiving module 204. The privilege module 206 is configured to determine the access authority of the client according to the MAC address information of the client encapsulated in the access protocol packet. Through the foregoing access server, the firewall policy configuration response information corresponding to the access authority of the client is encapsulated in the response message of the access protocol, thereby implementing the firewall policy distribution by using the network configuration interaction process of the broadband access protocol. , allowing clients to automatically configure their own firewall rules dynamically. The use of existing broadband access protocols makes the distribution of firewall policies very convenient and saves distribution resources. FIG. 4 is a structural block diagram of a firewall policy distribution system according to an embodiment of the present invention. As shown in FIG. 4, the distribution system includes: a client 100 and an access server 200 coupled to each other, where the client 100 includes: The module 102 is configured to send an access protocol packet to the access server 200, where the access protocol packet carries firewall policy configuration request information, and the first receiving module 104 is configured to receive the response packet from the access server 200. The firewall module 106 is configured to configure the firewall rule of the client 100 according to the firewall policy configuration response information. The access server 200 includes: a second receiving module 204 configured to receive an access protocol message from the client 100; and a second sending module 202 configured to send a response to the client 100 in response to the access protocol message The message, wherein the response message carries firewall policy configuration response information corresponding to the access permission of the client 100; the permission module 206 is configured to determine the network access permission of the client 100 according to the MAC address information of the client 100. Through the foregoing distribution system, the firewall policy configuration request information and the firewall policy configuration response information are respectively encapsulated in the broadband access protocol packet and the response packet, so that the network configuration interaction process using the broadband access protocol will correspond to the client's authority. The firewall policy is distributed to the client so that the client can automatically and dynamically configure its own firewall rules when broadband access is available. The use of existing broadband access protocols makes the distribution of firewall policies very convenient and saves distribution resources. FIG. 5 is a schematic diagram of a firewall policy distribution process of a DHCP protocol according to an embodiment of the present invention. The terminal device includes a DHCP client and a firewall module, and the terminal device accesses the Internet through the DHCP mode. The interaction process between the terminal device and the DHCP server is as shown in FIG. 5: Steps S502 to S508 are the negotiation phase of the DHCP, and the negotiation process is a prior art. , not described in detail here. The difference is that, in this embodiment, the DHCP Discovery message and the DHCP Request message in the Parameter Request List of the DHCP Client are carried in the firewall request to request the DHCP server to send firewall information. Support for firewall options, you can ignore the option.
DHCP Server在收到 DHCP Discovery和 DHCP Request报文后 , 检查参数 请求列表 Parameter Request List, 将相应的防火墙信息以一定格式填入防火墙 字段区域, 以 DHCP Offer及 DHCP ACK报文下发给 DHCP Client。 DHCP Client在接收到 DHCP ACK后, 将防火墙选项区域数据解析, 通过 步骤 S510将解析后的数据传递给防火墙模块, 防火墙模块在终端设备执行防 火墙规则, 防火墙规则有效时长为租约的一半。 After receiving the DHCP Discovery and DHCP Request messages, the DHCP server checks the parameter request list and sends the corresponding firewall information to the firewall field in a certain format. The DHCP Request and DHCP ACK messages are sent to the DHCP client. After receiving the DHCP ACK, the DHCP client parses the firewall option area data, and the parsed data is transmitted to the firewall module in step S510. The firewall module executes the firewall rule on the terminal device, and the firewall rule is valid for half of the lease.
DHCP Client在租约时间的一半时, 通过步骤 S512发送 DHCP Request 4艮 文给 DHCP Server进行续租, DHCP Server在步骤 S514中通过 DHCP ACK进 行租约响应, 如果续租成功, DHCP Client在步骤 S516中通知防火墙模块将相 应的防火墙规则有效时间延长为新租约时间的一半; 如果续租失败, 防火墙规 则失效, 进行下一轮的 DHCP交互, 交互步骤与上述步骤相同。 上述的防火墙续租在实际应用中是与 DHCP协议的 IP地址续租同步进行 的, 只是在 DHCP Request 4艮文中添加了防火墙续租选项。 在上述步骤 S502 中, DHCP Client 发送的 DHCP Discovery 4艮文携带 option55选项歹表, ? p参数请求歹表 parameter request list , parameter request list 中包括诸: ^子网掩码 subnet mask ( option 1 )、 网关 router ( option 3 ), i或名月艮 务器 domain name servers ( option 6 )、主机名 host name( option 12 )、域名 domain name ( option 15 )、 时间月艮务器 time server ( option 4 ), 运营商代码 Vendor ID ( option 60 )、 用户分类代码 User Classified ID ( option 77 ), 无类别静态路由 Classless static route ( option 121 ) 等选项, 在本实施例中, 在选项列表中增加 了防火墙选项 option ( 130 )„ 在上述步骤 S504中, DHCP Server回复 DHCP Offer 4艮文,提供 DHCP client 相应的请求信息。 在本实施例中, 通过源 MAC 地址或 Vendor ID 或 User Classified ID以及其他主机信息判断 DCHP Client的级另 'J , 提供相应 option 130 的防火墙信息。 在上述步骤 S508至步骤 SS510中, DHCP Client接受到 DHCP server的最 终 ACK后, 才艮据 DHCP option中的防火墙选项信息, 动态配置客户端防火墙。 图 6示出了本发明实施例的 DHCP协议的防火墙选项的报文格式示意图, 如图 6所示: When the DHCP client is half of the lease time, the DHCP client sends a DHCP Request message to the DHCP server for renewal. The DHCP server performs a lease response through the DHCP ACK in step S514. If the lease renewal is successful, the DHCP client notifies the message in step S516. The firewall module extends the effective time of the corresponding firewall rule to half of the new lease time. If the lease renewal fails, the firewall rule is invalid, and the next round of DHCP interaction is performed. The interaction steps are the same as the above steps. The above-mentioned firewall renewal is performed in synchronization with the IP address renewal of the DHCP protocol in the actual application, but the firewall renewal option is added in the DHCP Request 4. In the above step S502, the DHCP Discovery message sent by the DHCP client carries the option55 option table. The p parameter request table parameter request list, the parameter request list includes: ^ subnet mask (option 1), gateway router (option 3), i or server name server (option 6), Host name host name ( option 12 ), domain name domain name ( option 15 ), time server server ( option 4 ), carrier code Vendor ID (option 60 ), user classification code (User category ID (option 77), In the embodiment, a firewall option option (130) is added to the option list. In the above step S504, the DHCP server replies to the DHCP Offer 4, providing DHCP. The corresponding request information of the client. In this embodiment, the DCHP client level is judged by the source MAC address or the Vendor ID or the User Classified ID and other host information, and the firewall information of the corresponding option 130 is provided. In the above step S508 to the step In SS510, after the DHCP Client receives the final ACK of the DHCP server, it will use the firewall in the DHCP option. Item information, dynamically configure client firewall FIG. 6 shows a schematic diagram of the packet format of the DHCP protocol firewall options embodiment of the present invention, shown in Figure 6:
DHCP防火墙选项特征码为 130, 即 0x82, 占一个字节, 当然该特征码可 以为 DHCP标准接入协议中 0-255数值范围内未使用的任何数值; DHCP防火 墙选项可以同时包含防火墙通过和拒绝两个子选项,子选项代码分别为 1和 2, 占一个字节; 子选项数据长度 Len占 2字节; 防火墙数据 Len字节。 在本实施例所示的防火墙数据中, 源地址 /子网掩码为 5字节, 端口号为 2 字节, 协议为 2字节, 目的地址 /子网掩码为 5字节, 总共数据长度为 14字节。 其中, IP地址 /子网掩码的数据为类似 192.168.1.0/24的格式。 在上述防火墙选项数据中, 某个数据区, 如源地址 /子网掩码, 端口号, 协 议或目的端口 /子网掩码区域为全 0, 则表示其对应为任意值, 即任意源源地址 /子网掩码, 任意端口号, 任意协议, 任意目的端口 /子网掩码。 当然 DHCP防火墙每个子选项可以包含多个连续规则,子选项数据长度必 须为 14字节的整数倍。 防火墙选项置于所有 DHCP选项末端,以 DHCP选项结束符" Oxff,为结束。 图 7示出了本发明实施例的 PPP协议的防火墙策略分发示意图, PPP协议 的实现包括两个阶段 LCP ( Link Control Protocol , 链路控制协议) 和 NCP ( Network Control Protocol, 网络控制协议)阶段, 网络配置体现在 NCP阶段, 例^口 DNS、 WINS ( Windows Internet Naming Server, Windows 网际命名月艮务) 等参数的配置; 本实例的防火墙策略的分发是通过在 PPP客户端的请求中增加 两个防火墙选项: filter ( Accept ) 141和 filter ( DROP ) 142, 防火墙选项的长 度均为 2, 包括选项码和长度区的字节数。 PPP服务器在收到的 IPCP request 中发现防火墙 option字段后, 通过源 MAC地址信息、 账号信息及其他主机信 息判断 PPP Client的级另 'J , 通过发一个 PPP IPCP configuration NAK包返回相 应防火墙选项信息; 信息格式包括特征码、 长度和防火墙数据。 当 PPP 客户端 接) 到该 IPCP configuration NAK后, 自动配置 IP、 DNS、 WINS以及防火墙 规则等网络参数。 The DHCP firewall option code is 130, which is 0x82, which occupies one byte. Of course, the signature can be any value that is not used in the range of 0-255 in the DHCP standard access protocol. The DHCP firewall option can include both firewall pass and reject. Two sub-options, the sub-option codes are 1 and 2, respectively, occupying one byte; the sub-option data length Len is 2 bytes; the firewall data is Len bytes. In the firewall data shown in this embodiment, the source address/subnet mask is 5 bytes, the port number is 2 bytes, the protocol is 2 bytes, and the destination address/subnet mask is 5 bytes. The length is 14 bytes. The IP address/subnet mask data is in a format similar to 192.168.1.0/24. In the above firewall option data, if a certain data area, such as source address/subnet mask, port number, protocol or destination port/subnet mask area is all 0, it means that it corresponds to any value, that is, any source address. / Subnet mask, any port number, any protocol, any destination port/subnet mask. Of course, each sub-option of the DHCP firewall can contain multiple consecutive rules, and the sub-option data length must be an integer multiple of 14 bytes. The firewall option is placed at the end of all DHCP options with the DHCP option terminator "Oxff". Figure 7 shows the firewall policy distribution of the PPP protocol according to the embodiment of the present invention. The implementation of the PPP protocol includes two phases of LCP (Link Control). Protocol, Link Control Protocol and NCP (Network Control Protocol) phase, the network configuration is reflected in the NCP phase, and the configuration of parameters such as DNS, WINS (Windows Internet Naming Server, Windows Internet Naming Server) The firewall policy for this example is distributed by adding two firewall options to the PPP client request: filter ( Accept ) 141 and filter ( DROP ) 142. The firewall options are 2 in length, including the option code and the length field. After the firewall option field is found in the received IPCP request, the PPP server judges the PPP client level by the source MAC address information, account information and other host information, and sends a PPP IPCP configuration NAK packet to the corresponding firewall. Option information; information format includes signature, length, and firewall data. When PP P client connection) After the IPCP configuration NAK, network parameters such as IP, DNS, WINS and firewall rules are automatically configured.
PPP协议的实现具体包括以下步骤: 步骤 S702, LCP协商, 协商内容包括 RFC ( Request For Comments, 请求 注解) 1661中所定义的选项。 步骤 S704, LCP协商过后就到了建立( Establish )阶段,开始 PAP( PasswordThe implementation of the PPP protocol specifically includes the following steps: Step S702: The LCP negotiates, and the content of the negotiation includes an option defined in the RFC (Request For Comments) 1661. Step S704, after the LCP negotiation, the establishment phase is established, and the PAP (Password) is started.
Authentication Protocol , 密码认证协议 ) 或 CHAP ( Challenge Handshake Authentication Protocol, i句问握手认证十办议) 认证。 PAP为两次握手认证, 口 令为明文。 PAP认证过程如下: 发送用户名同口令到认证方, 认证方查看是否 有此用户, 口令是否正确, 然后发送相应的响应。 CHAP为三次握手认证, 口 令为密文(密钥) CHAP认证由认证方发送一些随机产生的 4艮文, 交给被认证, 被认证方用自己的口令字用 MD5 ( Message Digest Algorithm 5 , 消息摘要算法 第五版) 算法进行加密, 传回密文, 认证方用自己保存的口令字及随机报文用 MD5算法加密, 比较二者的密文, 才艮据比较结果返回响应的响应。 步骤 S706, 认证成功即进行 Network阶段协商( NCP ), 在 IP接入中主要 是 IPCP协商 (如 IP地址和 DNS地址的协商等)。 本实施例在该阶段增加了防 火墙协商。 步骤 S708, 才艮据协商的结果进行, 防火墙的配置, 当然同时也进行 IP地 址、 DNS等参数的配置。 步骤 S710, 协商成功, 则链路建立, 可以开始传输网络层数据报文。 图 8示出了本发明实施例的 PPP IPCP Configuration Request数据 4艮文格式 示意图, 如图 8所示: 艮文的特征码为 0x01代表该 4艮文为 PPP IPCP configuration Request 4艮文; 在特征码后为 IP地址选项 Option 1 ( IP Address ); Option 129为主 DNS地址选 项; option 131为备用 DNS地址选项; 上述各选项与现有的 PPP IPCP协议标 准是一致的 (参考 RFC 1877 )„ 在本实施例中, 增加了 option 141和 option 142防火墙选项, 当然防火墙 选项的选项编号可以为 PPP接入协议中未使用的任何数值; 其中, option 141 表示防火墙接受 (Accept ) 选项, option 142表示防火墙拒绝 (Drop ) 选项。 option 141和 option 142选项均包括特征码 ( code ) 字段和长度 ( Len ) 字段, code和 Len字段共 2bytes,请求时, option 141和 option 142选项的 code和 Len 字段的数据默认为 0, 这样表示客户端请求服务器端的防火墙信息。 图 9示出了本发明实施例的 PPP IPCP Configuration NAK数据 4艮文格式示 意图, 在 PPP协议中, 接入月艮务器通过 PPP IPCP Configuration NAK 4艮文将配 置信息传递给客户端, PPP IPCP Configuration NAK数据报文格式如图 9所示: 特征码为 0x03代表该 4艮文为 IPCP configuration NAK 4艮文, 特征码后是配置数据域, 例如, IP Address域、 主 DNS地址域和备用 DNS 地址 i或。 在本实施例中, 增加了 option 141和 option 142的防火墙选项数据 i或, 并包括各自选项的长度。 防火墙选项区域的数据格式为: 防火墙选项特征码 1字节 ( 141或 142 ), 子选项数据长度 1字节, 及防火墙数据 Len-2字节。 图 10示出了本发明实施例的 PPP IPCP防火墙选项数据 4艮文格式示意图, 如图 10所示, 防火墙数据选项的具体 4艮文格式如下: 防火墙数据为源地址 /子网掩码 (5字节), 端口号 (2字节), 协议 (2字 节), 目的地址 /子网掩码 ( 5字节), 共 14字节。 Authentication Protocol, Password Authentication Protocol, or CHAP (Challenge Handshake Authentication Protocol). The PAP is a two-way handshake authentication and the password is plain text. The PAP authentication process is as follows: Send the user name with the password to the authenticator. The authenticator checks whether the user has the password, and then sends the corresponding response. CHAP is a three-way handshake authentication, and the password is ciphertext (key). The CHAP authentication is sent by the authenticator to randomly generate 4 , documents, which are given to be authenticated. The authenticated party encrypts the ciphertext with its own password using the MD5 (Message Digest Algorithm 5) algorithm, and the Authenticator encrypts the password and the random packet with the MD5 algorithm. The ciphertext of the two returns the response of the response according to the comparison result. In step S706, the network phase negotiation (NCP) is performed when the authentication succeeds, and the IPCP negotiation (such as the negotiation of the IP address and the DNS address, etc.) is mainly performed in the IP access. This embodiment adds firewall negotiation at this stage. Step S708, according to the result of the negotiation, the configuration of the firewall, and of course, the configuration of parameters such as an IP address and a DNS. Step S710, if the negotiation is successful, the link is established, and the network layer data packet can be transmitted. FIG. 8 is a schematic diagram showing the format of the PPP IPCP Configuration Request data in the embodiment of the present invention, as shown in FIG. 8: The signature of the 艮文 is 0x01, and the 艮文 is PPP IPCP configuration Request 4 ;文; The code is followed by the IP address option Option 1 (IP Address); Option 129 is the primary DNS address option; option 131 is the alternate DNS address option; the above options are consistent with the existing PPP IPCP protocol standard (refer to RFC 1877) „ In this embodiment, the option 141 and option 142 firewall options are added. Of course, the option number of the firewall option may be any value not used in the PPP access protocol; where option 141 represents a firewall accept option and option 142 represents a firewall. The Drop option. The option 141 and option 142 options both include the signature ( ) field and the length ( Len ) field. The code and Len fields are 2 bytes in total. When requested, the code of the option 141 and option 142 options and the data of the Len field are selected. The default is 0, which means that the client requests the firewall information of the server. Figure 9 shows the PPP IPCP Config of the embodiment of the present invention. The uration NAK data 4 艮 text format diagram, in the PPP protocol, the access server transmits the configuration information to the client through the PPP IPCP Configuration NAK 4 , text, PPP IPCP Configuration NAK data message format is shown in Figure 9: The feature code is 0x03 for the IPCP configuration NAK 4艮, and the signature code is followed by the configuration data field, for example, the IP Address field, the primary DNS address field, and the alternate DNS address i or. In this embodiment, Option 141 and option 142 firewall option data i or , and include the length of the respective option. The data format of the firewall option area is: firewall option signature 1 byte (141 or 142), suboption data length 1 byte, and firewall data Len-2 bytes. FIG. 10 is a schematic diagram showing the format of the PPP IPCP firewall option data in the embodiment of the present invention. As shown in FIG. 10, the specific format of the firewall data option is as follows: The firewall data is the source address/subnet mask (5) Byte), Port number (2 bytes), Protocol (2 bytes), Destination address/Subnet mask (5 bytes), 14 bytes total.
IP地址 /子网掩码的数据为类似 192.168.1.0/24的格式, 防火墙选项数据长 度 Len-2必须为 14的整数倍, 防火墙选项可以包含多个连续规则, 防火墙选项 数据中, 某个数据区, 例如, 源地址 /子网掩码、 端口号、 协议或目的端口 /子 网掩码区域为全 0, 则表示其对应为任意值, 即任意源源地址 /子网掩码, 任意 端口号, 任意协议, 任意目的端口 /子网掩码。 在上述的实施例中, 接入服务器可以通过以下方式来管理宽带接入客户端 对特殊业务的访问: 宽带接入协 i¾J艮务器端将特殊业务 (如 MSN、 QQ、 P2P、 特殊网站等) 的常用服务器地址填入响应 4艮文的目的 IP地址, 常用端口填入端口号区域,协 议填入协议区域,防火墙选项特征码为 0x82。如果艮务器不带防火墙选项数据, 表示默认允许这些服务, 如果服务器带上防火墙拒绝选项(DROP ), 表示拒绝 这些业务。 上述实施例中的防火墙策略自动配置既包括接入端对上层网络的访问控 制, 也包括下游设备对接入端的访问。 通过控制下游设备对接入端的控制, 可 以控制多用户 NAT ( Network Address Translate, 网络地址转换 ) 共享上网。 一般地, 接入端需要给下游分配地址, 月艮务器回复 4艮文将该地址池中单个 源 IP地址或源 IP地址范围填入源 IP地址域; 客户端根据回复报文, 通过配置 单用户或单地址对接入端的访问, 以达到控制多用户共享上网的目的。 通过本发明的上述实施例, 利用宽带接入协议的网络配置过程, 进行防火 墙策略的分发, 实现在客户端宽带接入时动态配置不同级别的客户端的防火墙 规则, 既可以方便地实现防火墙策略的分发, 又可以节省分发资源。 另外, 通 过本发明的上述实施例, 还提供一种简易方法对特定业务的开放和关闭的管 理, 以及控制客户端所在系统可支持接入主机的容量, 提供一种控制多用户共 享上网的方法。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可以 用通用的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布在多 个计算装置所组成的网络上, 可选地, 它们可以用计算装置可执行的程序代码 来实现, 从而, 可以将它们存储在存储装置中由计算装置来执行, 并且在某些 情况下, 可以以不同于此处的顺序执行所示出或描述的步骤, 或者将它们分别 制作成各个集成电路模块, 或者将它们中的多个模块或步骤制作成单个集成电 路模块来实现。 这样, 本发明不限制于任何特定的硬件和软件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本领 域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的 ^"神和原则 之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之 内。 The IP address/subnet mask data is similar to the 192.168.1.0/24 format. The firewall option data length Len-2 must be an integer multiple of 14. The firewall option can contain multiple consecutive rules, firewall option data, and some data. For example, if the source address/subnet mask, port number, protocol, or destination port/subnet mask area is all 0, it means that it corresponds to any value, that is, any source address/subnet mask, any port number. , any protocol, any destination port/subnet mask. In the above embodiment, the access server can manage the access of the broadband access client to the special service by: the broadband access protocol i3⁄4J server side will have special services (such as MSN, QQ, P2P, special website, etc.) The common server address is filled in with the destination IP address of the response message. The common port is filled in the port number area, and the protocol is filled in the protocol area. The firewall option code is 0x82. If the server does not have firewall option data, it means that these services are allowed by default, and if the server has a firewall rejection option (DROP), it means to reject these services. The automatic configuration of the firewall policy in the foregoing embodiment includes the access control of the access layer to the upper layer network, and the access of the downstream device to the access end. By controlling the control of the access device by the downstream device, it is possible to control the multi-user NAT (Network Address Translate) to share the Internet. Generally, the access terminal needs to allocate an address to the downstream, and the server replies with a single source IP address or a source IP address range in the address pool to fill the source IP address field; the client configures according to the reply packet. Single-user or single-address access to the access end to achieve the purpose of controlling multi-user shared Internet access. Through the above-mentioned embodiments of the present invention, the network configuration process of the broadband access protocol is used to distribute the firewall policy, and the firewall rules of different levels of clients are dynamically configured when the client accesses the broadband, and the firewall policy can be conveniently implemented. Distribution can save resources. In addition, through the above embodiments of the present invention, a simple method for opening and closing a specific service is also provided. And control the client's system to support the capacity of the access host, providing a way to control multi-user shared Internet access. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 Claim
1. 一种用于宽带接入协议的防火墙策略分发方法, 包括: A firewall policy distribution method for a broadband access protocol, comprising:
客户端向接入服务器发送接入协议报文, 其中, 所述接入协议报文 中携带有防火墙策略配置请求信息;  The client sends an access protocol packet to the access server, where the access protocol packet carries firewall policy configuration request information;
所述客户端接收所述接入服务器发送的响应于所述接入协议报文的 响应 4艮文, 其中, 所述响应 4艮文中携带有与所述客户端的访问权限相对 应的防火墙策略配置响应信息;  The client receives a response message sent by the access server in response to the access protocol message, where the response message carries a firewall policy configuration corresponding to the access right of the client. Response information
所述客户端才艮据所述防火墙策略配置响应信息配置自身的防火墙规 则。  The client configures its own firewall rules according to the firewall policy configuration response information.
2. 根据权利要求 1所述的防火墙策略分发方法, 其中, 在所述客户端接收 所述接入艮务器发送的响应于所述接入协议艮文的响应 艮文之前, 所述 方法还包括: 2. The firewall policy distribution method according to claim 1, wherein the method further comprises, before the client receives a response message sent by the access server in response to the access protocol message Includes:
所述接入服务器从所接收到的所述接入协议报文获取所述客户端的 信息, 并根据所述客户端的信息确定所述客户端的访问权限, 其中所述 客户端的信息至少包括以下一种:介质访问控制地址 MAC、运营商代码、 用户分类代码;  The access server obtains the information of the client from the received access protocol packet, and determines the access authority of the client according to the information of the client, where the information of the client includes at least one of the following : media access control address MAC, carrier code, user classification code;
所述接入月艮务器将与所述客户端的访问权限相对应的防火墙策略配 置响应信息封装在所述响应 4艮文中, 并发送至所述客户端。  The access server encapsulates the firewall policy configuration response information corresponding to the access authority of the client in the response message and sends the response to the client.
3. 根据权利要求 2所述的防火墙策略分发方法, 其中, 所述宽带接入协议 为动态主机配置切、议 DHCP。 The firewall policy distribution method according to claim 2, wherein the broadband access protocol is a dynamic host configuration switch and a DHCP policy.
4. 才艮据权利要求 3所述的防火墙策略分发方法, 其中, 所述接入协议 4艮文 为动态主机配置协议发现 4艮文或动态主机配置协议请求 4艮文, 所述防火 墙策略配置请求信息封装在所述 DHCP发现 ~¾文或所述 DHCP请求 4艮文 的选项中; 所述响应 艮文为动态主机配置协议提供艮文或动态主机配置 协议确认报文, 所述防火墙策略配置响应信息封装在所述 DHCP提供报 文或所述 DHCP确认 4艮文的选项中。 The firewall policy distribution method according to claim 3, wherein the access protocol protocol is a dynamic host configuration protocol discovery protocol or a dynamic host configuration protocol request message, and the firewall policy configuration The request information is encapsulated in an option of the DHCP discovery or the DHCP request message; the response message provides a dynamic host configuration protocol or a dynamic host configuration protocol confirmation message, and the firewall policy configuration The response information is encapsulated in an option of the DHCP offer message or the DHCP acknowledgement message.
5. 根据权利要求 3所述的防火墙策略分发方法, 其中, 在所述客户端根据 所述防火墙策略配置响应信息配置自身的防火墙规则之后还包括: 在预定时间间隔内, 所述客户端向所述接入月艮务器发送防火墙策略 续租请求 ^艮文, 其中所述防火墙策略续租请求 4艮文用于向所述接入月艮务 器请求续租所述客服端的防火墙策略; 所述客户端接收所述接入艮务器发送的响应于所述防火墙策略续租 请求报文的防火墙策略租约响应报文; The firewall policy distribution method according to claim 3, wherein after the client configures its own firewall rule according to the firewall policy configuration response information, the method further includes: During a predetermined time interval, the client sends a firewall policy renewal request to the access server, where the firewall policy renewal request is used to send to the access server The server requests to renew the firewall policy of the client; the client receives a firewall policy lease response message sent by the server in response to the firewall policy renewal request message;
所述客户端根据所述防火墙策略租约响应报文延长自身已配置的防 火墙规则或使自身已配置的防火墙规则失效。  The client extends the configured firewall rules or invalidates the configured firewall rules according to the firewall policy lease response message.
6. 根据权利要求 2所述的防火墙策略分发方法, 其中, 所述宽带接入协议 为点对点协议 PPP。 The firewall policy distribution method according to claim 2, wherein the broadband access protocol is a point-to-point protocol PPP.
7. 居权利要求 6所述的防火墙策略分发方法, 其中, 所述接入协议 4艮文 为点对点 IP控制协议 PPP IPCP配置请求报文, 所述防火墙策略配置请 求信息封装在所述 PPP IPCP配置请求报文的选项中;所述响应 4艮文为点 对点 IP控制切、议 PPP IPCP配置响应 艮文, 所述防火墙策略配置响应信 息封装在 PPP IPCP配置响应 4艮文的选项中。 The firewall policy distribution method according to claim 6, wherein the access protocol protocol is a point-to-point IP control protocol PPP IPCP configuration request message, and the firewall policy configuration request information is encapsulated in the PPP IPCP configuration. In the option of requesting a message, the response is a point-to-point IP control, and the PPP IPCP configuration response message is encapsulated in the PPP IPCP configuration response.
8. —种用于宽带接入协议的防火墙策略分发客户端, 包括: 8. A firewall policy distribution client for broadband access protocols, including:
第一发送模块, 设置为向接入服务器发送接入协议报文, 其中, 所 述接入协议 4艮文中携带有防火墙策略配置请求信息;  The first sending module is configured to send an access protocol packet to the access server, where the access protocol carries the firewall policy configuration request information;
第一接收模块, 设置为接收来自所述接入服务器的所述响应报文, 其中所述响应报文中携带有与所述客户端的访问权限相对应的防火墙策 略配置响应信息;  The first receiving module is configured to receive the response packet from the access server, where the response packet carries firewall policy configuration response information corresponding to the access authority of the client;
防火墙模块, 设置为根据所述防火墙策略配置响应信息配置所述客 户端的防火墙规则。  The firewall module is configured to configure the firewall rule of the client according to the firewall policy configuration response information.
9. 一种用于宽带接入协议的防火墙策略分发接入服务器, 其中, 包括: 第二接收模块, 设置为接收来自所述客户端的接入协议报文, 其中, 所述接入协议 4艮文中携带有防火墙策略配置请求信息; A firewall policy distribution access server for a broadband access protocol, comprising: a second receiving module, configured to receive an access protocol message from the client, where the access protocol is The document carries firewall policy configuration request information;
第二发送模块, 设置为向所述客户端发送响应报文以响应所述接入 协议报文, 其中所述响应报文中携带有与所述客户端的访问权限相对应 的防火墙策略配置响应信息; 权限模块, 设置为根据所述接入协议报文中携带的所述客户端的信 息确定所述客户端的访问权限, 其中, 所述客户端的信息至少包括以下 一种: 介质访问控制地址 MAC、 运营商代码、 用户分类代码。 一种用于宽带接入协议的防火墙策略分发系统, 包括客户端和接入服务 器, The second sending module is configured to send a response packet to the client in response to the access protocol packet, where the response packet carries a firewall policy configuration response message corresponding to the access authority of the client. ; The privilege module is configured to determine the access authority of the client according to the information about the client carried in the access protocol packet, where the information of the client includes at least one of the following: a media access control address MAC, an operator Code, user classification code. A firewall policy distribution system for a broadband access protocol, including a client and an access server,
所述客户端包括:  The client includes:
第一发送模块, 设置为向所述接入服务器发送接入协议报文, 其中, 所述接入协议 4艮文中携带有防火墙策略配置请求信息;  The first sending module is configured to send an access protocol packet to the access server, where the access protocol carries the firewall policy configuration request information;
第一接收模块, 设置为接收来自所述接入服务器的所述响应报文; 防火墙模块, 设置为根据所述防火墙策略配置响应信息配置所述客 户端的防火墙规则;  a first receiving module, configured to receive the response message from the access server; and a firewall module configured to configure a firewall rule of the client according to the firewall policy configuration response information;
所述接入艮务器包括:  The access server includes:
第二接收模块, 设置为接收来自所述客户端的所述接入协议报文; 第二发送模块, 设置为向所述客户端发送响应于所述接入协议艮文 的所述响应报文, 其中所述响应报文中携带有与所述客户端访问权限相 对应的防火墙策略配置响应信息;  a second receiving module, configured to receive the access protocol packet from the client, where the second sending module is configured to send the response packet in response to the access protocol message to the client, The response packet carries firewall policy configuration response information corresponding to the client access right;
权限模块, 设置为根据所述接入协议报文中携带的所述客户端的信 息确定所述客户端的访问权限, 其中所述客户端的信息至少包括以下一 种: 介质访问控制地址 MAC、 运营商代码、 用户分类代码。  The privilege module is configured to determine the access right of the client according to the information about the client carried in the access protocol packet, where the information of the client includes at least one of the following: a media access control address MAC, a carrier code , user classification code.
PCT/CN2011/075986 2010-10-20 2011-06-20 Firewall policy distribution method, client, access server and system WO2012051868A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010514063.0A CN101977187B (en) 2010-10-20 2010-10-20 Firewall policy distribution method, client, access server and system
CN201010514063.0 2010-10-20

Publications (1)

Publication Number Publication Date
WO2012051868A1 true WO2012051868A1 (en) 2012-04-26

Family

ID=43577032

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/075986 WO2012051868A1 (en) 2010-10-20 2011-06-20 Firewall policy distribution method, client, access server and system

Country Status (2)

Country Link
CN (1) CN101977187B (en)
WO (1) WO2012051868A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948205A (en) * 2017-12-31 2018-04-20 中国移动通信集团江苏有限公司 Firewall strategy-generating method, device, equipment and medium

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977187B (en) * 2010-10-20 2015-10-28 中兴通讯股份有限公司 Firewall policy distribution method, client, access server and system
CN102780776B (en) * 2012-07-19 2018-03-27 中兴通讯股份有限公司 Application layer transmission optimization server finds method and device
CN104184717A (en) * 2014-02-20 2014-12-03 西安未来国际信息股份有限公司 Virtual host safety protection system design
CN105141571A (en) * 2014-06-09 2015-12-09 中兴通讯股份有限公司 Distributed virtual firewall device and method
CN104410644A (en) * 2014-12-15 2015-03-11 北京国双科技有限公司 Data configuration method and device
CN105100124B (en) * 2015-09-14 2018-10-26 浪潮(北京)电子信息产业有限公司 A kind of firewall management system, client, server end and method
CN105978933B (en) * 2016-04-25 2019-09-17 青岛海信电器股份有限公司 A kind of web-page requests and response method, terminal, server and system
CN106060041A (en) * 2016-05-30 2016-10-26 北京琵琶行科技有限公司 Enterprises network access authority control method and device
CN107241458A (en) * 2017-06-14 2017-10-10 上海斐讯数据通信技术有限公司 A kind of method and device of avoidance system type detection
CN113992369B (en) * 2021-10-18 2023-07-18 北京天融信网络安全技术有限公司 Topology management method and system for network security equipment
CN116614318B (en) * 2023-07-20 2023-10-03 深圳市中科云科技开发有限公司 Network security protection method and system based on firewall

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056178A (en) * 2007-05-28 2007-10-17 中兴通讯股份有限公司 A method and system for controlling the user network access right
CN101340444A (en) * 2008-08-26 2009-01-07 华为技术有限公司 Fireproof wall and server policy synchronization method, system and apparatus
CN101977187A (en) * 2010-10-20 2011-02-16 中兴通讯股份有限公司 Firewall policy distribution method, client, access server and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7664096B2 (en) * 2003-06-25 2010-02-16 At&T Intellectual Property I, Lp Remote location VOIP roaming behind firewalls
CN101340287A (en) * 2007-07-02 2009-01-07 华为技术有限公司 Network access verifying method, system and apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056178A (en) * 2007-05-28 2007-10-17 中兴通讯股份有限公司 A method and system for controlling the user network access right
CN101340444A (en) * 2008-08-26 2009-01-07 华为技术有限公司 Fireproof wall and server policy synchronization method, system and apparatus
CN101977187A (en) * 2010-10-20 2011-02-16 中兴通讯股份有限公司 Firewall policy distribution method, client, access server and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948205A (en) * 2017-12-31 2018-04-20 中国移动通信集团江苏有限公司 Firewall strategy-generating method, device, equipment and medium
CN107948205B (en) * 2017-12-31 2020-10-27 中国移动通信集团江苏有限公司 Firewall strategy generation method, device, equipment and medium

Also Published As

Publication number Publication date
CN101977187A (en) 2011-02-16
CN101977187B (en) 2015-10-28

Similar Documents

Publication Publication Date Title
WO2012051868A1 (en) Firewall policy distribution method, client, access server and system
US9154378B2 (en) Architecture for virtualized home IP service delivery
US8966075B1 (en) Accessing a policy server from multiple layer two networks
KR101396042B1 (en) Dynamic host configuration and network access authentication
US7624181B2 (en) Techniques for authenticating a subscriber for an access network using DHCP
US8307093B2 (en) Remote access between UPnP devices
US20100275248A1 (en) Method, apparatus and system for selecting service network
RU2008146517A (en) POLICY MANAGED ACCOUNT DEPARTMENT FOR UNIFIED NETWORK REGISTRATION AND SECURE ACCESS TO NETWORK RESOURCES
WO2004034229A2 (en) System and method for providing access control
WO2018191854A1 (en) Method for accessing fixed network and access gateway network element
US9246906B1 (en) Methods for providing secure access to network resources and devices thereof
WO2002019651A2 (en) Method and apparatus for providing network dependent application services
US20040196977A1 (en) Conveying wireless encryption keys upon client device connecting to network in non-wireless manner
WO2008019624A1 (en) Method and system for implementing configuration management of devices in network
WO2014101449A1 (en) Method for controlling access point in wireless local area network, and communication system
WO2011140919A1 (en) Method, device, server and system for accessing service wholesale network
Younes A secure DHCP protocol to mitigate LAN attacks
WO2007028330A1 (en) A method and system for automatically distributing the service to the ppp access terminal
CN108307694A (en) A kind of network connection information acquisition methods and router
WO2010000157A1 (en) Configuration method, device and system for access device
WO2009082950A1 (en) Key distribution method, device and system
WO2009074072A1 (en) Method, network system and network equipment of dynamic strategy conversion
CN114499989A (en) Security device management method and device
CN102577299B (en) The Access Network authentication information bearing protocol simplified
JP4584776B2 (en) Gateway device and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11833774

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11833774

Country of ref document: EP

Kind code of ref document: A1