WO2012051868A1 - Procédé de distribution de règles de pare-feu, client, serveur d'accès et système - Google Patents

Procédé de distribution de règles de pare-feu, client, serveur d'accès et système Download PDF

Info

Publication number
WO2012051868A1
WO2012051868A1 PCT/CN2011/075986 CN2011075986W WO2012051868A1 WO 2012051868 A1 WO2012051868 A1 WO 2012051868A1 CN 2011075986 W CN2011075986 W CN 2011075986W WO 2012051868 A1 WO2012051868 A1 WO 2012051868A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
access
firewall
firewall policy
response
Prior art date
Application number
PCT/CN2011/075986
Other languages
English (en)
Chinese (zh)
Inventor
万齐根
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012051868A1 publication Critical patent/WO2012051868A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to the field of communications, and in particular to a firewall policy distribution method, a client, an access server, and a system.
  • a firewall policy generally refers to restricting a user's access to certain information items or restricting the use of certain control functions by a user according to the user identity and the predefined domain to which the user belongs, so as to achieve the purpose of controlling the user network access control. rule.
  • a primary object of the present invention is to provide a firewall policy distribution method, a client, an access server, and a system to at least solve the above problem of inconvenient distribution of firewall policies and requiring additional resources.
  • a firewall policy distribution method including: a client sends an access protocol packet to an access server, where the access protocol packet carries a firewall policy configuration request message; The response message sent by the access server in response to the access protocol message, where the response message carries the firewall policy configuration response information corresponding to the access authority of the client; the client configures the response information according to the firewall policy configuration. Its own firewall rules.
  • the method further includes: the access server acquiring the information of the client from the received access protocol packet, and determining, according to the information of the client, Client access rights, where the client information includes at least one of the following: media access control address MAC, carrier code, user classification code; access server will encapsulate the firewall policy configuration response information corresponding to the client's access rights In the response message, and sent to the client. Broadband access cut, negotiated for dynamic host configuration, and negotiate DHCP.
  • the access protocol packet is a dynamic host configuration protocol discovery packet or a dynamic host configuration protocol request packet.
  • the firewall policy configuration request information is encapsulated in an option of DHCP discovery or DHCP request.
  • the response message is a dynamic host.
  • the configuration of the configuration, the provision of the network or the configuration of the dynamic host, and the confirmation of the firewall policy configuration are encapsulated in the option of DHCP providing 4 or DHCP confirmation.
  • the client After the client configures its own firewall rules according to the firewall policy configuration response information, the client also includes: During a predetermined time interval, the client sends a firewall policy renewal request to the access server, wherein the firewall policy renews the lease.
  • the request message is used to request the access server to renew the firewall policy of the client; the client receives the firewall policy lease response message sent by the access server and responds to the firewall policy renewal request message; the client according to the firewall policy lease response report
  • the article extends its configured firewall rules or invalidates its configured firewall rules.
  • the broadband access protocol is the point-to-point protocol PPP.
  • the access protocol packet is a peer-to-peer IP control protocol PPP IPCP configuration request packet, and the firewall policy configuration request information is encapsulated in the option of the PPP IPCP configuration request.
  • the response message is a peer-to-peer IP control protocol PPP IPCP configuration response.
  • the firewall policy configuration response information is encapsulated in the PPP IPCP configuration response option.
  • a firewall policy distribution client including: a first sending module, configured to send an access protocol packet to an access server, where the access protocol packet carries a firewall policy
  • the first receiving module is configured to receive the response from the access server, where the response message carries the firewall policy configuration response information corresponding to the access right of the client; the firewall module is set according to the firewall.
  • the policy configuration response information configures the client's firewall rules.
  • a firewall policy distribution access server including: a second receiving module, configured to receive an access protocol message from a client, where the access protocol The packet carries the firewall policy configuration request information.
  • the second sending module is configured to send a response packet to the client in response to the access protocol packet, where the response packet carries a firewall policy corresponding to the access authority of the client.
  • Configuring the response information; the privilege module is configured to determine the access rights of the client according to the information of the client carried in the access protocol packet, where the information of the client is at least one of the following: MAC (Media Access Control) address information, Carrier Code Vendor ID, User Classification ID.
  • a firewall policy distribution system including: a client and an access server, where the client includes: a first sending module, configured to send an access protocol packet to the access server, The access protocol packet carries the firewall policy configuration request information.
  • the first receiving module is configured to receive the response packet from the access server.
  • the firewall module is configured to configure the firewall rule of the client according to the firewall policy configuration response information.
  • the access server includes: a second receiving module, configured to receive an access protocol message from the client; and a second sending module, configured to send a response to the client in response to the access to the tenth message.
  • the response module carries the firewall policy configuration response information corresponding to the client access right; the permission module is configured to determine the access authority of the client according to the information of the client carried in the access protocol packet, where the client information At least one of the following is included: MAC (Media Access Control) address information, carrier code Vendor ID, and user classification code User Classified ID.
  • MAC Media Access Control
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the invention.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the invention.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the invention.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the invention.
  • FIG. 1 is a flowchart of a firewall policy distribution method according to an embodiment of the present invention
  • FIG. 2 is a block diagram showing a firewall policy distribution client according to an embodiment of the present invention
  • FIG. 4 is a structural block diagram of a firewall policy distribution system according to an embodiment of the present invention
  • 5 is a schematic diagram of a firewall policy distribution of a DHCP protocol according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of a packet format of a firewall option of a DHCP protocol according to an embodiment of the present invention
  • FIG. 7 is a PPP diagram of an embodiment of the present invention
  • Schematic diagram of the firewall policy distribution of the protocol FIG.
  • FIG. 8 is a schematic diagram showing the format of the PPP IPCP Configuration Request data in the embodiment of the present invention
  • FIG. 9 is a schematic diagram showing the format of the PPP IPCP Configuration NAK data in the embodiment of the present invention
  • FIG. 10 is a schematic diagram showing the format of a PPP IPCP firewall option data according to an embodiment of the present invention.
  • each host In a TCP/IP network, each host must have access to the network, and must first perform network access, such as IP address, subnet mask, gateway, DNS (Domain Name System, domain name). System)
  • the configuration of these parameters is essential. These configuration information are carried in the option of the Broadband Access Protocol. For example, DHCP (Dynamic Host Configuration Protocol) Protocol, PPP IPCP (Point to point protocol Internet Protocol Control Protocol, 10 peer-to-peer discussions on the Internet 10 to control ten meetings).
  • the firewall policy information is encapsulated in the option options of the access protocols in a certain format. When the client network accesses, the access server automatically distributes the firewall policy to different through the broadband access protocol.
  • FIG. 1 is a flowchart of a method for distributing a firewall policy according to an embodiment of the present invention.
  • the method includes: Step S102: A client sends an access protocol packet to an access server, where an access protocol packet is used. Carrying firewall policy configuration request information.
  • Step S106 the client configures its own firewall rule according to the firewall policy configuration response information.
  • FIG. 2 is a block diagram showing a structure of a firewall policy distribution client according to an embodiment of the present invention.
  • the client 100 includes: a first sending module 102, a first receiving module 104, and a firewall module 106.
  • the first sending module 102 is connected to the first receiving module 104 and the firewall module 106, and the first sending module 102 is configured to send an access protocol packet to the access server, where the sent access protocol packet carries a firewall policy.
  • the first receiving module 104 is configured to receive the response message from the access server, where the response message carries the firewall policy configuration response information corresponding to the access authority of the client; the firewall module 106 and the first
  • the sending module 102 is connected to the first receiving module 104, and the firewall module 106 is configured to configure the firewall rules of the client by using the firewall policy configuration response information.
  • FIG. 3 is a structural block diagram of a firewall policy distribution access server according to an embodiment of the present invention.
  • the access server 200 includes: a second sending module 202, a second receiving module 204, and a rights module 206.
  • the second receiving module 204 is connected to the second sending module 202 and the privilege module 206, and the second receiving module 204 is configured to receive the access protocol packet from the client, where the access protocol packet carries the firewall policy configuration request information.
  • the second sending module 204 is configured to send a response message to the client in response to the access protocol message, where the response message carries firewall policy configuration response information corresponding to the access authority of the client;
  • the two sending module 202 is connected to the second receiving module 204.
  • the privilege module 206 is configured to determine the access authority of the client according to the MAC address information of the client encapsulated in the access protocol packet.
  • FIG. 4 is a structural block diagram of a firewall policy distribution system according to an embodiment of the present invention. As shown in FIG.
  • the distribution system includes: a client 100 and an access server 200 coupled to each other, where the client 100 includes: The module 102 is configured to send an access protocol packet to the access server 200, where the access protocol packet carries firewall policy configuration request information, and the first receiving module 104 is configured to receive the response packet from the access server 200.
  • the firewall module 106 is configured to configure the firewall rule of the client 100 according to the firewall policy configuration response information.
  • the access server 200 includes: a second receiving module 204 configured to receive an access protocol message from the client 100; and a second sending module 202 configured to send a response to the client 100 in response to the access protocol message
  • the firewall policy configuration request information and the firewall policy configuration response information are respectively encapsulated in the broadband access protocol packet and the response packet, so that the network configuration interaction process using the broadband access protocol will correspond to the client's authority.
  • the firewall policy is distributed to the client so that the client can automatically and dynamically configure its own firewall rules when broadband access is available.
  • FIG. 5 is a schematic diagram of a firewall policy distribution process of a DHCP protocol according to an embodiment of the present invention.
  • the terminal device includes a DHCP client and a firewall module, and the terminal device accesses the Internet through the DHCP mode.
  • the interaction process between the terminal device and the DHCP server is as shown in FIG. 5: Steps S502 to S508 are the negotiation phase of the DHCP, and the negotiation process is a prior art. , not described in detail here.
  • the DHCP Discovery message and the DHCP Request message in the Parameter Request List of the DHCP Client are carried in the firewall request to request the DHCP server to send firewall information. Support for firewall options, you can ignore the option.
  • the DHCP server After receiving the DHCP Discovery and DHCP Request messages, the DHCP server checks the parameter request list and sends the corresponding firewall information to the firewall field in a certain format.
  • the DHCP Request and DHCP ACK messages are sent to the DHCP client.
  • the DHCP client After receiving the DHCP ACK, the DHCP client parses the firewall option area data, and the parsed data is transmitted to the firewall module in step S510.
  • the firewall module executes the firewall rule on the terminal device, and the firewall rule is valid for half of the lease.
  • the DHCP client When the DHCP client is half of the lease time, the DHCP client sends a DHCP Request message to the DHCP server for renewal.
  • the DHCP server performs a lease response through the DHCP ACK in step S514. If the lease renewal is successful, the DHCP client notifies the message in step S516.
  • the firewall module extends the effective time of the corresponding firewall rule to half of the new lease time. If the lease renewal fails, the firewall rule is invalid, and the next round of DHCP interaction is performed.
  • the interaction steps are the same as the above steps.
  • the above-mentioned firewall renewal is performed in synchronization with the IP address renewal of the DHCP protocol in the actual application, but the firewall renewal option is added in the DHCP Request 4.
  • the DHCP Discovery message sent by the DHCP client carries the option55 option table.
  • the p parameter request table parameter request list, the parameter request list includes: ⁇ subnet mask (option 1), gateway router (option 3), i or server name server (option 6), Host name host name ( option 12 ), domain name domain name ( option 15 ), time server server ( option 4 ), carrier code Vendor ID (option 60 ), user classification code (User category ID (option 77),
  • a firewall option option (130) is added to the option list.
  • the DHCP server replies to the DHCP Offer 4, providing DHCP. The corresponding request information of the client.
  • the DCHP client level is judged by the source MAC address or the Vendor ID or the User Classified ID and other host information, and the firewall information of the corresponding option 130 is provided.
  • the firewall information of the corresponding option 130 is provided.
  • the DHCP Client After the DHCP Client receives the final ACK of the DHCP server, it will use the firewall in the DHCP option. Item information, dynamically configure client firewall
  • FIG. 6 shows a schematic diagram of the packet format of the DHCP protocol firewall options embodiment of the present invention, shown in Figure 6:
  • the DHCP firewall option code is 130, which is 0x82, which occupies one byte.
  • the signature can be any value that is not used in the range of 0-255 in the DHCP standard access protocol.
  • the DHCP firewall option can include both firewall pass and reject.
  • Two sub-options, the sub-option codes are 1 and 2, respectively, occupying one byte; the sub-option data length Len is 2 bytes; the firewall data is Len bytes.
  • the source address/subnet mask is 5 bytes
  • the port number is 2 bytes
  • the protocol is 2 bytes
  • the destination address/subnet mask is 5 bytes.
  • the length is 14 bytes.
  • the IP address/subnet mask data is in a format similar to 192.168.1.0/24.
  • a certain data area such as source address/subnet mask, port number, protocol or destination port/subnet mask area is all 0, it means that it corresponds to any value, that is, any source address.
  • Subnet mask, any port number, any protocol, any destination port/subnet mask if a certain data area, such as source address/subnet mask, port number, protocol or destination port/subnet mask area is all 0, it means that it corresponds to any value, that is, any source address. / Subnet mask, any port number, any protocol, any destination port/subnet mask.
  • each sub-option of the DHCP firewall can contain multiple consecutive rules, and the sub-option data length must be an integer multiple of 14 bytes.
  • the firewall option is placed at the end of all DHCP options with the DHCP option terminator "Oxff".
  • Figure 7 shows the firewall policy distribution of the PPP protocol according to the embodiment of the present invention.
  • the implementation of the PPP protocol includes two phases of LCP (Link Control). Protocol, Link Control Protocol and NCP (Network Control Protocol) phase, the network configuration is reflected in the NCP phase, and the configuration of parameters such as DNS, WINS (Windows Internet Naming Server, Windows Internet Naming Server)
  • the firewall policy for this example is distributed by adding two firewall options to the PPP client request: filter ( Accept ) 141 and filter ( DROP ) 142.
  • the firewall options are 2 in length, including the option code and the length field.
  • the PPP server judges the PPP client level by the source MAC address information, account information and other host information, and sends a PPP IPCP configuration NAK packet to the corresponding firewall.
  • Option information information format includes signature, length, and firewall data.
  • Step S702 The LCP negotiates, and the content of the negotiation includes an option defined in the RFC (Request For Comments) 1661.
  • Step S704 after the LCP negotiation, the establishment phase is established, and the PAP (Password) is started.
  • the PAP is a two-way handshake authentication and the password is plain text.
  • the PAP authentication process is as follows: Send the user name with the password to the authenticator. The authenticator checks whether the user has the password, and then sends the corresponding response.
  • CHAP is a three-way handshake authentication, and the password is ciphertext (key).
  • the CHAP authentication is sent by the authenticator to randomly generate 4 , documents, which are given to be authenticated.
  • the authenticated party encrypts the ciphertext with its own password using the MD5 (Message Digest Algorithm 5) algorithm, and the Authenticator encrypts the password and the random packet with the MD5 algorithm.
  • MD5 Message Digest Algorithm 5
  • step S706 the network phase negotiation (NCP) is performed when the authentication succeeds, and the IPCP negotiation (such as the negotiation of the IP address and the DNS address, etc.) is mainly performed in the IP access.
  • NCP network phase negotiation
  • IPCP negotiation such as the negotiation of the IP address and the DNS address, etc.
  • This embodiment adds firewall negotiation at this stage.
  • Step S708 according to the result of the negotiation, the configuration of the firewall, and of course, the configuration of parameters such as an IP address and a DNS.
  • Step S710 if the negotiation is successful, the link is established, and the network layer data packet can be transmitted.
  • FIG. 8 is a schematic diagram showing the format of the PPP IPCP Configuration Request data in the embodiment of the present invention, as shown in FIG.
  • the signature of the ⁇ is 0x01, and the ⁇ is PPP IPCP configuration Request 4 ; ⁇ ;
  • the code is followed by the IP address option Option 1 (IP Address);
  • Option 129 is the primary DNS address option;
  • option 131 is the alternate DNS address option; the above options are consistent with the existing PPP IPCP protocol standard (refer to RFC 1877)own
  • the option 141 and option 142 firewall options are added.
  • the option number of the firewall option may be any value not used in the PPP access protocol; where option 141 represents a firewall accept option and option 142 represents a firewall.
  • the option 141 and option 142 options both include the signature ( ) field and the length ( Len ) field.
  • the code and Len fields are 2 bytes in total.
  • FIG 9 shows the PPP IPCP Config of the embodiment of the present invention.
  • the feature code is 0x03 for the IPCP configuration NAK 4 ⁇ , and the signature code is followed by the configuration data field, for example, the IP Address field, the primary DNS address field, and the alternate DNS address i or.
  • Option 141 and option 142 firewall option data i or and include the length of the respective option.
  • the data format of the firewall option area is: firewall option signature 1 byte (141 or 142), suboption data length 1 byte, and firewall data Len-2 bytes.
  • FIG. 10 is a schematic diagram showing the format of the PPP IPCP firewall option data in the embodiment of the present invention. As shown in FIG. 10, the specific format of the firewall data option is as follows: The firewall data is the source address/subnet mask (5) Byte), Port number (2 bytes), Protocol (2 bytes), Destination address/Subnet mask (5 bytes), 14 bytes total.
  • the IP address/subnet mask data is similar to the 192.168.1.0/24 format.
  • the firewall option data length Len-2 must be an integer multiple of 14.
  • the firewall option can contain multiple consecutive rules, firewall option data, and some data. For example, if the source address/subnet mask, port number, protocol, or destination port/subnet mask area is all 0, it means that it corresponds to any value, that is, any source address/subnet mask, any port number. , any protocol, any destination port/subnet mask.
  • the access server can manage the access of the broadband access client to the special service by: the broadband access protocol i3 ⁇ 4J server side will have special services (such as MSN, QQ, P2P, special website, etc.)
  • the common server address is filled in with the destination IP address of the response message.
  • the common port is filled in the port number area, and the protocol is filled in the protocol area.
  • the firewall option code is 0x82. If the server does not have firewall option data, it means that these services are allowed by default, and if the server has a firewall rejection option (DROP), it means to reject these services.
  • the automatic configuration of the firewall policy in the foregoing embodiment includes the access control of the access layer to the upper layer network, and the access of the downstream device to the access end.
  • the access terminal needs to allocate an address to the downstream, and the server replies with a single source IP address or a source IP address range in the address pool to fill the source IP address field; the client configures according to the reply packet.
  • Single-user or single-address access to the access end to achieve the purpose of controlling multi-user shared Internet access.
  • the network configuration process of the broadband access protocol is used to distribute the firewall policy, and the firewall rules of different levels of clients are dynamically configured when the client accesses the broadband, and the firewall policy can be conveniently implemented. Distribution can save resources.
  • a simple method for opening and closing a specific service is also provided. And control the client's system to support the capacity of the access host, providing a way to control multi-user shared Internet access.
  • modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention se rapporte à un procédé de distribution de règles de pare-feu. L'invention se rapporte d'autre part à un client, à un serveur d'accès et à un système correspondant à des protocoles d'accès à large bande. Le procédé de distribution de règles de pare-feu comprend les étapes suivantes : un client envoie des messages de protocole d'accès à un serveur d'accès, les messages de protocole d'accès contenant les données de demande de configuration de règles de pare-feu (S102); le client reçoit des messages de réponse qui répondent aux messages de protocole d'accès et qui sont envoyés depuis le serveur d'accès, les messages de réponse contenant les données de réponse de configuration de règles de pare-feu correspondant à l'autorisation d'accès du client (S104); et le client configure les règles de pare-feu qui le concernent sur la base des données de réponse de configuration de règles de pare-feu (S106). La présente invention réalise la distribution de règles de pare-feu par le biais de procédures interactives de configuration de réseau des protocoles d'accès à large bande. Elle permet en outre à un client de configurer les règles de pare-feu qui le concernent de façon dynamique. Grâce à l'utilisation des protocoles d'accès à large bande actuels, la distribution des règles de pare-feu est extrêmement commode et les ressources de distribution peuvent être économisées.
PCT/CN2011/075986 2010-10-20 2011-06-20 Procédé de distribution de règles de pare-feu, client, serveur d'accès et système WO2012051868A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010514063.0 2010-10-20
CN201010514063.0A CN101977187B (zh) 2010-10-20 2010-10-20 防火墙策略分发方法、客户端、接入服务器及系统

Publications (1)

Publication Number Publication Date
WO2012051868A1 true WO2012051868A1 (fr) 2012-04-26

Family

ID=43577032

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/075986 WO2012051868A1 (fr) 2010-10-20 2011-06-20 Procédé de distribution de règles de pare-feu, client, serveur d'accès et système

Country Status (2)

Country Link
CN (1) CN101977187B (fr)
WO (1) WO2012051868A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948205A (zh) * 2017-12-31 2018-04-20 中国移动通信集团江苏有限公司 防火墙策略生成方法、装置、设备及介质

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977187B (zh) * 2010-10-20 2015-10-28 中兴通讯股份有限公司 防火墙策略分发方法、客户端、接入服务器及系统
CN102780776B (zh) * 2012-07-19 2018-03-27 中兴通讯股份有限公司 应用层传输优化服务器发现方法及装置
CN104184717A (zh) * 2014-02-20 2014-12-03 西安未来国际信息股份有限公司 一种虚拟主机安全防护系统的设计
CN105141571A (zh) * 2014-06-09 2015-12-09 中兴通讯股份有限公司 分布式虚拟防火墙装置及方法
CN104410644A (zh) * 2014-12-15 2015-03-11 北京国双科技有限公司 数据配置方法及装置
CN105100124B (zh) * 2015-09-14 2018-10-26 浪潮(北京)电子信息产业有限公司 一种防火墙管理系统、客户端、服务器端和方法
CN105978933B (zh) * 2016-04-25 2019-09-17 青岛海信电器股份有限公司 一种网页请求及响应方法、终端、服务器和系统
CN106060041A (zh) * 2016-05-30 2016-10-26 北京琵琶行科技有限公司 企业网络访问权限的控制方法及装置
CN107241458A (zh) * 2017-06-14 2017-10-10 上海斐讯数据通信技术有限公司 一种躲避系统类型检测的方法及装置
CN113992369B (zh) * 2021-10-18 2023-07-18 北京天融信网络安全技术有限公司 一种网络安全设备拓扑管理方法及系统
CN116614318B (zh) * 2023-07-20 2023-10-03 深圳市中科云科技开发有限公司 一种基于防火墙的网络安全防护方法和系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056178A (zh) * 2007-05-28 2007-10-17 中兴通讯股份有限公司 一种控制用户网络访问权限的方法和系统
CN101340444A (zh) * 2008-08-26 2009-01-07 华为技术有限公司 防火墙和服务器策略同步方法、系统和设备
CN101977187A (zh) * 2010-10-20 2011-02-16 中兴通讯股份有限公司 防火墙策略分发方法、客户端、接入服务器及系统

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7664096B2 (en) * 2003-06-25 2010-02-16 At&T Intellectual Property I, Lp Remote location VOIP roaming behind firewalls
CN101340287A (zh) * 2007-07-02 2009-01-07 华为技术有限公司 一种网络接入认证方法及系统和装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101056178A (zh) * 2007-05-28 2007-10-17 中兴通讯股份有限公司 一种控制用户网络访问权限的方法和系统
CN101340444A (zh) * 2008-08-26 2009-01-07 华为技术有限公司 防火墙和服务器策略同步方法、系统和设备
CN101977187A (zh) * 2010-10-20 2011-02-16 中兴通讯股份有限公司 防火墙策略分发方法、客户端、接入服务器及系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948205A (zh) * 2017-12-31 2018-04-20 中国移动通信集团江苏有限公司 防火墙策略生成方法、装置、设备及介质
CN107948205B (zh) * 2017-12-31 2020-10-27 中国移动通信集团江苏有限公司 防火墙策略生成方法、装置、设备及介质

Also Published As

Publication number Publication date
CN101977187A (zh) 2011-02-16
CN101977187B (zh) 2015-10-28

Similar Documents

Publication Publication Date Title
WO2012051868A1 (fr) Procédé de distribution de règles de pare-feu, client, serveur d'accès et système
US9154378B2 (en) Architecture for virtualized home IP service delivery
US8966075B1 (en) Accessing a policy server from multiple layer two networks
KR101396042B1 (ko) 다이나믹 호스트 컨피규레이션 및 네트워크 액세스 인증
US7624181B2 (en) Techniques for authenticating a subscriber for an access network using DHCP
US8307093B2 (en) Remote access between UPnP devices
WO2018191854A1 (fr) Procédé d'accès à un réseau fixe et élément de réseau de passerelle d'accès
US20100275248A1 (en) Method, apparatus and system for selecting service network
RU2008146517A (ru) Управляемое политиками делегирование учетных данных для единой регистрации в сети и защищенного доступа к сетевым рессурсам
WO2004034229A2 (fr) Systeme et procede de fourniture de commande d'acces
US9246906B1 (en) Methods for providing secure access to network resources and devices thereof
WO2002019651A2 (fr) Procede et appareil de fourniture de services applicatifs dependant de reseaux
US20040196977A1 (en) Conveying wireless encryption keys upon client device connecting to network in non-wireless manner
WO2008019624A1 (fr) Procédé et système destinés à mettre en oeuvre la gestion de configuration de dispositifs dans un réseau
WO2014101449A1 (fr) Procédé pour contrôler un point d'accès dans un réseau local sans fil, et système de communication
WO2011140919A1 (fr) Procédé, dispositif, serveur et système permettant d'accéder à un réseau de vente de services en gros
Younes A secure DHCP protocol to mitigate LAN attacks
WO2007028330A1 (fr) Procede et systeme de distribution automatique d'un service au terminal d'acces ppp
CN108307694A (zh) 一种网络连接信息获取方法及路由器
WO2010000157A1 (fr) Procédé de configuration, équipement et système de dispositif d'accès
CN114499989A (zh) 安全设备管理方法及装置
WO2009074072A1 (fr) Procédé, système de réseau et équipement de réseau de conversion de stratégie dynamique
WO2009082950A1 (fr) Procédé, dispositif et système de distribution de clés
Nguyen et al. An SDN‐based connectivity control system for Wi‐Fi devices
CN102577299B (zh) 简化的接入网认证信息承载协议

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11833774

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11833774

Country of ref document: EP

Kind code of ref document: A1