WO2013071821A1 - Security policy delivery method and network element and system for implementing same - Google Patents

Security policy delivery method and network element and system for implementing same Download PDF

Info

Publication number
WO2013071821A1
WO2013071821A1 PCT/CN2012/083791 CN2012083791W WO2013071821A1 WO 2013071821 A1 WO2013071821 A1 WO 2013071821A1 CN 2012083791 W CN2012083791 W CN 2012083791W WO 2013071821 A1 WO2013071821 A1 WO 2013071821A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
location
security
ilr
security policy
Prior art date
Application number
PCT/CN2012/083791
Other languages
French (fr)
Chinese (zh)
Inventor
颜正清
张世伟
符涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2013071821A1 publication Critical patent/WO2013071821A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Definitions

  • the present invention relates to the field of mobile communications and the Internet, and specifically relates to a method for issuing a security policy and a network element and system for implementing the method. Background technique
  • Traditional security devices mainly have basic functions such as packet filtering, network address translation (NAT), anti-DDoS (distributed denial of service) attacks, and anti-aliased packet attacks. They can defend against network layer security. Threat. With the development of the network and the richness of network applications, the attack technology for the application layer has developed rapidly. Security devices that defend against these application layer attacks, such as IDS (Intrusion Detection System), IPS (Intrusion Protection System), and UTM (Unified Threat Management) devices, are also emerging.
  • IDS Intrusion Detection System
  • IPS Intrusion Protection System
  • UTM Unified Threat Management
  • the security policy server can communicate with the security enforcement entity (or the security device) to implement the security policy delivery and reduce the manual maintenance security device. the cost of.
  • IP IP
  • the existing security policy delivery mechanism can only send security policies to fixed users on a single security device, and cannot deliver the same security policy to multiple security devices for mobile users. That is, the security policy server cannot The security device in the different nodes accessed by the user delivers a security policy based on the user.
  • the identity (IP) changes, and the existing security policy delivery mechanism cannot solve the problem of implementing the same security policy for the entire network.
  • the embodiment of the invention provides a security policy delivery method, which can implement the same security policy for the entire network.
  • the method for issuing the security policy includes:
  • the identity and location registration register After receiving the user location registration request sent by the access server (ASR), the identity and location registration register (ILR) sends a message to the policy server (PS) indicating the new location of the user; the PS receives the ILR transmission After the message indicating the new location of the user, the security policy related to the user is sent to the security enforcement entity where the current location of the user is located.
  • ASR access server
  • ILR identity and location registration register
  • the method further includes: the ILR updating the mapping relationship between the locally stored access identifier and the location of the user.
  • the method further includes: the PS recording the current location of the user.
  • the PS sends a security policy related to the user to the security enforcement entity where the current location of the user is located, including: the PS first determines whether the location of the user changes, and if a change occurs, the current location of the user is located.
  • the security enforcement entity sends a security policy associated with the user.
  • the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
  • SG security gateway
  • ASR ASR with an SG function.
  • the embodiment of the invention further provides a security policy delivery system, which can implement the same security policy for the entire network.
  • the security policy is delivered by the system, including an identity and location registration register (ILR) and a policy server (PS), where:
  • the ILR is configured to send a message indicating a new location of the user to the PS after receiving the user location registration request sent by the access server (ASR);
  • the PS is configured to, after receiving the message indicating the new location of the user sent by the ILR, send a security policy related to the user to the security enforcement entity where the current location of the user is located.
  • the PS is further configured to record the current location of the user after receiving the message indicating the new location of the user sent by the ILR.
  • the PS is configured to send a security policy related to the user to the security execution entity where the current location of the user is located in the following manner: first, determine whether the user location changes, and if there is a change, then to the user current
  • the security enforcement entity where the location is located sends the security policy associated with the user.
  • the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
  • SG security gateway
  • ASR ASR with an SG function.
  • the embodiment of the present invention further provides an identity identification and location registration register (ILR) to enable the security policy server to know when to issue a security policy to the security enforcement entity.
  • ILR identity identification and location registration register
  • the identity and location registration register includes a receiving module and a transmitting module, wherein:
  • the receiving module is configured to receive a user location registration request sent by an access server (ASR);
  • ASR access server
  • the sending module is configured to send a message indicating a new location of the user to the policy server (PS) after the receiving module receives the user location registration request.
  • PS policy server
  • the ILR further includes a saving module, configured to update a mapping relationship between the locally stored access identifier and the location of the user after the receiving module receives the user location registration request.
  • a saving module configured to update a mapping relationship between the locally stored access identifier and the location of the user after the receiving module receives the user location registration request.
  • the embodiment of the invention further provides a policy server (PS), which implements an security policy delivery system, and can implement the same security policy for the user on the entire network.
  • PS policy server
  • the policy server includes a receiving module and a sending module, where: the receiving module is configured to receive a message sent by an identity identifier and a location registration register (ILR) indicating a new location of the user;
  • the sending module is configured to send, after the receiving module receives the message indicating the new location of the user, a security policy related to the user to the security performing entity where the current location of the user is located.
  • ILR location registration register
  • the PS further includes a saving module configured to record the current location of the user after the receiving module receives the message indicating the new location of the user sent by the ILR.
  • a saving module configured to record the current location of the user after the receiving module receives the message indicating the new location of the user sent by the ILR.
  • the PS further includes a determining module configured to receive the at the receiving module
  • the notification sending module After the ILR sends a message indicating the new location of the user, it is determined whether the location of the user changes. If the change occurs, the notification sending module sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
  • the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
  • SG security gateway
  • ASR ASR with an SG function.
  • the embodiment of the present invention combines the identity identification and the location separation network, and the ILR queries the user location information according to the AID setting.
  • the ILR can notify the PS to timely deliver the security based on the user AID to the security device at the location of the user.
  • the policy uses the network-wide uniqueness of the user identification identifier (AID) to deliver the user-based network-wide security policy.
  • FIG. 1 is a schematic diagram of a security policy delivery
  • Figure 2 shows the system architecture diagram of the SILSN
  • FIG. 3 is a flowchart of dynamically transmitting a user-based security policy on the entire network according to an embodiment of the present invention
  • FIG. 4 is a flowchart of an application example of the present invention
  • FIG. 5 is a schematic structural diagram of a system for implementing security policy delivery according to an embodiment of the present invention.
  • FIG. 2 is an architectural diagram of the identity and location separation network, in this figure, the identity and location separation system (Subscriber Identifier & Locator Separation Network, SILSN for short) is accessed by Access Service Router (ASR) and User Equipment (UE), Identity and Location Register (ILR), and Authentication Center (AC) and other components.
  • the access servers ASR1 and ASR2 are respectively used to access the user terminal devices UE1 and UE2, and are responsible for implementing access for the user terminal, and performing functions such as charging, switching, and security.
  • the ILR assumes the user's location registration and identification capabilities.
  • the AC assumes the user access authentication function.
  • UE1 and UE2 have unique identity identifiers AID 1 and AID2, respectively.
  • the network shown in Figure 2 has the following characteristics: Each user in the network can only access after strict authentication. When sending each data packet, the user carries its own real user access identifier AID. This symbol is only assigned to The user uses and is unique to the entire network. The data packets sent by users in various services always carry this identifier. Each data packet sent by the user must be authenticated by the access server ASR to ensure that the data packets sent by the user are carried. It is its own access identity, it will not impersonate other users' AIDs to access the network, and this identifier will remain unchanged when transmitted within the network. This identifier will not change when the user moves or switches.
  • ASR Access Security
  • ASR will report the user's location information to the ILR.
  • the ILR informs the PS (Policy Server) to inform the user of the new location information (for example, the RID of the ASR), and the PS delivers a security policy based on the user to the corresponding security device according to the new location of the user.
  • the PS Policy Server
  • the ILR notifies the new location of the PS user, so that the PS sends a security policy based on the user to the security device in the new location where the user is currently located.
  • a user-based security policy delivery mechanism that implements dynamic network dynamics.
  • Step 301 After receiving the user location registration request sent by the ASR, the ILR sends a message indicating the new location of the user to the PS.
  • the ILR After receiving the user location registration request, the ILR also updates the mapping relationship between the locally stored access identifier and the location of the user.
  • Step 302 After receiving the message sent by the ILR indicating the new location of the user, the PS sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
  • the PS After receiving the message sent by the ILR indicating the new location of the user, the PS records the current location of the user, and sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
  • the security enforcement entity includes: SG or the ASR with SG function.
  • the ILR sends the current location of the user to the PS when the user's location changes.
  • the PS first determines whether the user location changes, and if a change occurs, Send the security policy related to the user to the security enforcement entity where the user's current location is located. If no change occurs, it will not be sent.
  • SG can be deployed independently of ASR, and the functions of SG can also be integrated into ASR. If the SG is deployed separately from the ASR, the PS needs to maintain an association table between the SG and the ASR. When the user moves to the location of the ASR, the PS needs to find the SG of the location according to the location of the ASR, and then issue a security policy.
  • Figure 4 shows an embodiment of a security policy issued in an identity and location separation network.
  • the user first sends an ASR1 access, and the PS (Policy Server) sends a security policy related to the user to the SG (Security Gateway) 1.
  • the ILR informs the PS that the user has moved to the ASR2, and the PS sends the security policy related to the user to the SG2, and deletes the security policy related to the user on the SG1.
  • the security device SG can be a standalone device or integrate the functions of the security device into the ASR.
  • S400 The user goes online on the ASR1, and the ASR1 sends the location registration request of the user to the ILR.
  • the ILR receives the location registration request of the user, and sends a location registration request response to the ASR1 after completing the registration;
  • the ILR notifies the PS, informs the user of the location, and the PS records the location of the user;
  • the PS sends the user-related security policy to the SG1 where the user is located according to the location of the user.
  • the ILR After receiving the user location registration request sent by the ASR2, updating the user identity and the location mapping relationship, the ILR sends a user location registration request response to the ASR2.
  • the ILR After updating the identity and location mapping relationship of the user, the ILR sends a message of changing the location of the user to the PS, and carries the new location information of the user.
  • the PS receives the user location change message, and compares with the original location of the user. If the change occurs, the user sends the security policy related to the user to the SG2 where the user is located.
  • the SG2 sends a security policy response message to the PS.
  • the PS sends the user-related security policy deletion command to the SG1.
  • the above process completes the process of releasing the security policy related to the user during the process of the user going online from the ASR1 and then moving to the ASR2.
  • a system for implementing the foregoing security policy delivery method includes an ILR and a PS, where: the ILR is configured to send a message indicating a new location of the user to the PS after receiving the user location registration request sent by the ASR. ;
  • the PS is configured to, after receiving the message indicating the new location of the user sent by the ILR, send a security policy related to the user to the security enforcement entity where the current location of the user is located.
  • the foregoing ILR includes a first receiving module and a first sending module, where:
  • a first receiving module configured to receive a user location registration request sent by the ASR
  • the first sending module is configured to send a message indicating the new location of the user to the PS after the first receiving module receives the user location registration request.
  • the ILR further includes a first saving module, configured to update a mapping relationship between the locally stored access identifier and the location of the user after the first receiving module receives the user location registration request.
  • a first saving module configured to update a mapping relationship between the locally stored access identifier and the location of the user after the first receiving module receives the user location registration request.
  • the foregoing PS includes a second receiving module and a second sending module, where: a second receiving module, configured to receive a message sent by the ILR to indicate a new location of the user; and a second sending module, configured to: after the second receiving module receives the message indicating the new location of the user, the security of the current location of the user The executing entity sends a security policy related to the user.
  • the PS further includes a second saving module configured to record the current location of the user after the second receiving module receives the message sent by the ILR indicating the new location of the user.
  • a second saving module configured to record the current location of the user after the second receiving module receives the message sent by the ILR indicating the new location of the user.
  • the PS further includes a determining module, configured to: after the second receiving module receives the message indicating the new location of the user sent by the ILR, determining whether the user location changes, and if the change occurs, notifying the second sending module to the The security enforcement entity where the user's current location is located sends the security policy associated with the user.
  • a determining module configured to: after the second receiving module receives the message indicating the new location of the user sent by the ILR, determining whether the user location changes, and if the change occurs, notifying the second sending module to the The security enforcement entity where the user's current location is located sends the security policy associated with the user.
  • the above security enforcement entities include: SG or ASR with SG function.
  • the embodiment of the present invention combines the identity identification and the location separation network, and the ILR queries the user location information according to the AID setting.
  • the ILR can promptly notify the PS to deliver the security device based on the location to the user.
  • the security policy of the AID is based on the network-wide security policy of the user AID.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a security policy delivery method and a network element and a system for implementing same, which can implement a same security policy for a user throughout a network. The method comprises: after receiving a location registration request of a user from an access server (ASR), an identity location register (ILR) sending a message indicating a new location of the user to a policy server (PS); and after receiving the message indicating the new location of the user from the ILR, the PS sending a security policy related to the user to a security execution entity for the current location of the user. The system comprises an ILR and a PS. The ILR comprises a receiving module and a sending module. The PS comprises a receiving module and a sending module.

Description

一种安全策略下发方法及实现该方法的网元和系统  Security policy delivery method and network element and system for implementing the same
技术领域 Technical field
本发明涉及移动通讯领域和互联网领域, 具体涉及一种安全策略下发方 法及实现该方法的网元和系统。 背景技术  The present invention relates to the field of mobile communications and the Internet, and specifically relates to a method for issuing a security policy and a network element and system for implementing the method. Background technique
随着网络的融合以及全 IP化的发展趋势, 安全问题越来越严重。 同时, 相应的各种各样的安全设备也层出不穷。 目前, 传统安全设备已经向大容量 和高性能方向发展, 主要应对网络层的安全威胁。 各种各样的应用级安全设 备和检测设备也被部署到网络中, 用以抵御来自网络各个层面的安全威胁。  With the convergence of networks and the development trend of all-IP, security issues are becoming more and more serious. At the same time, the corresponding variety of security devices are also emerging. At present, traditional security devices have been developed in the direction of high capacity and high performance, mainly dealing with security threats at the network layer. A variety of application-level security devices and inspection devices are also deployed on the network to protect against security threats at all levels of the network.
传统安全设备主要具有包过滤、 NAT ( Network Address Transfer, 网络地 址翻译) 、 防 DDoS(Distribution Denial of service, 分布式拒绝服务)攻击和防 畸形报文攻击等基本功能, 可以抵御来自网络层的安全威胁。 随着网络的发 展和网络应用的丰富, 针对应用层的攻击技术发展迅速。 而抵御这些应用层 攻击的安全设备也随之出现, 如 IDS(Intrusion Detection System , 入侵检测系 统)、 IPS(Intrusion Protection System, 入侵防护系统)和 UTM ( Unified Threat Management, 统一威胁管理)设备。  Traditional security devices mainly have basic functions such as packet filtering, network address translation (NAT), anti-DDoS (distributed denial of service) attacks, and anti-aliased packet attacks. They can defend against network layer security. Threat. With the development of the network and the richness of network applications, the attack technology for the application layer has developed rapidly. Security devices that defend against these application layer attacks, such as IDS (Intrusion Detection System), IPS (Intrusion Protection System), and UTM (Unified Threat Management) devices, are also emerging.
随着人们的安全保护意识越来越强烈, 安全设备被部署在网络的各个节 点, 加强了对网络的保护。 同时由于安全设备的增多, 安全设备的策略统一 下发如图 1所示, 安全策略服务器可以跟安全执行实体(或称安全设备)进 行信令交互, 实现安全策略下发, 减少人工维护安全设备的成本。  As people's awareness of security protection becomes stronger and stronger, security devices are deployed at various nodes of the network, enhancing the protection of the network. At the same time, the security device is deployed in a unified manner as shown in Figure 1. The security policy server can communicate with the security enforcement entity (or the security device) to implement the security policy delivery and reduce the manual maintenance security device. the cost of.
但是随着移动网络的发展, 越来越多的用户在不同的网络之间移动。 在 现有网络中,由于 IP地址的二义性(既代表用户的身份,也代表用户的位置 ) , 用户在不同的网络节点接入, 获得的 IP地址不同。 而现有的策略下发机制只 能对固定用户在单一安全设备下发安全策略, 无法做到对移动用户在多个安 全设备下发相同的安全策略, 也就是说, 安全策略服务器无法向该用户接入 的不同节点中的安全设备下发基于该用户的安全策略。 综上, 由于用户移动, 身份标识 (IP )发生变化, 现有的安全策略下发 机制已经无法解决对用户实施全网相同的安全策略的问题。 But with the development of mobile networks, more and more users are moving between different networks. In the existing network, due to the ambiguity of the IP address (which represents both the identity of the user and the location of the user), the user accesses at different network nodes, and the obtained IP address is different. The existing policy delivery mechanism can only send security policies to fixed users on a single security device, and cannot deliver the same security policy to multiple security devices for mobile users. That is, the security policy server cannot The security device in the different nodes accessed by the user delivers a security policy based on the user. In summary, due to user mobility, the identity (IP) changes, and the existing security policy delivery mechanism cannot solve the problem of implementing the same security policy for the entire network.
发明内容 Summary of the invention
本发明实施例提供一种安全策略下发方法, 能够对用户实施全网相同的 安全策略。  The embodiment of the invention provides a security policy delivery method, which can implement the same security policy for the entire network.
所述安全策略下发方法, 包括:  The method for issuing the security policy includes:
身份标识和位置登记寄存器(ILR )在接收到接入服务器(ASR )发送的 用户位置注册请求后, 向策略服务器(PS )发送指示用户新位置的消息; 所述 PS接收到所述 ILR发送的所述指示用户新位置的消息后,向该用户 当前位置所在的安全执行实体发送与该用户相关的安全策略。  After receiving the user location registration request sent by the access server (ASR), the identity and location registration register (ILR) sends a message to the policy server (PS) indicating the new location of the user; the PS receives the ILR transmission After the message indicating the new location of the user, the security policy related to the user is sent to the security enforcement entity where the current location of the user is located.
较佳地, 所述 ILR在收到用户位置注册请求后, 所述方法还包括, 所述 ILR更新本地保存的所述用户的接入标识与位置的映射关系。  Preferably, after the ILR receives the user location registration request, the method further includes: the ILR updating the mapping relationship between the locally stored access identifier and the location of the user.
较佳地, 所述 PS接收到所述 ILR发送的所述指示用户新位置的消息后, 所述方法还包括: 所述 PS记录该用户当前的位置。  Preferably, after the PS receives the message indicating the new location of the user sent by the ILR, the method further includes: the PS recording the current location of the user.
较佳地,所述 PS向该用户当前位置所在的安全执行实体发送与该用户相 关的安全策略,包括:所述 PS先判断用户位置是否发生变化,如果发生变化, 向该用户当前位置所在的安全执行实体发送与该用户相关的安全策略。  Preferably, the PS sends a security policy related to the user to the security enforcement entity where the current location of the user is located, including: the PS first determines whether the location of the user changes, and if a change occurs, the current location of the user is located. The security enforcement entity sends a security policy associated with the user.
较佳地, 所述安全执行实体包括: 安全网关 (SG )或者具有 SG功能的 ASR。  Preferably, the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
本发明实施例还提供一种安全策略下发系统, 能够对用户实施全网相同 的安全策略。 The embodiment of the invention further provides a security policy delivery system, which can implement the same security policy for the entire network.
所述安全策略下发系统, 包括身份标识和位置登记寄存器(ILR )和策略 服务器(PS ) , 其中:  The security policy is delivered by the system, including an identity and location registration register (ILR) and a policy server (PS), where:
所述 ILR, 设置为在接收到接入服务器(ASR )发送的用户位置注册请 求后, 向 PS发送指示用户新位置的消息; 所述 PS ,设置为在接收到所述 ILR发送的所述指示用户新位置的消息后, 向该用户当前位置所在的安全执行实体发送与该用户相关的安全策略。 The ILR is configured to send a message indicating a new location of the user to the PS after receiving the user location registration request sent by the access server (ASR); The PS is configured to, after receiving the message indicating the new location of the user sent by the ILR, send a security policy related to the user to the security enforcement entity where the current location of the user is located.
较佳地,所述 PS还设置为在接收到所述 ILR发送的所述指示用户新位置 的消息后, 记录用户当前的位置。  Preferably, the PS is further configured to record the current location of the user after receiving the message indicating the new location of the user sent by the ILR.
较佳地,所述 PS是设置为釆用以下方式向该用户当前位置所在的安全执 行实体发送与该用户相关的安全策略: 先判断用户位置是否发生变化, 如果 发生变化, 再向该用户当前位置所在的安全执行实体发送与该用户相关的安 全策略。  Preferably, the PS is configured to send a security policy related to the user to the security execution entity where the current location of the user is located in the following manner: first, determine whether the user location changes, and if there is a change, then to the user current The security enforcement entity where the location is located sends the security policy associated with the user.
较佳地, 所述安全执行实体包括: 安全网关 (SG )或者具有 SG功能的 ASR。  Preferably, the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
本发明实施例还提供一种身份标识和位置登记寄存器(ILR ) , 以使安全 策略服务器获知何时向安全执行实体下发安全策略。 The embodiment of the present invention further provides an identity identification and location registration register (ILR) to enable the security policy server to know when to issue a security policy to the security enforcement entity.
所述身份标识和位置登记寄存器(ILR ) , 包括接收模块和发送模块, 其 中:  The identity and location registration register (ILR) includes a receiving module and a transmitting module, wherein:
所述接收模块, 设置为接收接入服务器(ASR )发送的用户位置注册请 求;  The receiving module is configured to receive a user location registration request sent by an access server (ASR);
所述发送模块, 设置为在所述接收模块接收到用户位置注册请求过后, 向策略服务器(PS )发送指示用户新位置的消息。  The sending module is configured to send a message indicating a new location of the user to the policy server (PS) after the receiving module receives the user location registration request.
较佳地, 所述 ILR还包括保存模块, 其用于在所述接收模块收到用户位 置注册请求后, 更新本地保存的所述用户的接入标识与位置的映射关系。  Preferably, the ILR further includes a saving module, configured to update a mapping relationship between the locally stored access identifier and the location of the user after the receiving module receives the user location registration request.
本发明实施例还提供一种策略服务器(PS ) , 实现安全策略下发系统, 能够对用户实施全网相同的安全策略。 The embodiment of the invention further provides a policy server (PS), which implements an security policy delivery system, and can implement the same security policy for the user on the entire network.
所述一种策略服务器(PS ) , 包括接收模块和发送模块, 其中: 所述接收模块, 设置为接收身份标识和位置登记寄存器(ILR )发送的指 示用户新位置的消息; 所述发送模块, 设置为在所述接收模块接收到所述指示用户新位置的消 息后,向该用户当前位置所在的安全执行实体发送与该用户相关的安全策略。 The policy server (PS) includes a receiving module and a sending module, where: the receiving module is configured to receive a message sent by an identity identifier and a location registration register (ILR) indicating a new location of the user; The sending module is configured to send, after the receiving module receives the message indicating the new location of the user, a security policy related to the user to the security performing entity where the current location of the user is located.
较佳地, 所述 PS还包括保存模块,其设置为在所述接收模块接收到所述 ILR发送的指示用户新位置的消息后, 记录用户当前的位置。  Preferably, the PS further includes a saving module configured to record the current location of the user after the receiving module receives the message indicating the new location of the user sent by the ILR.
较佳地, 所述 PS还包括判断模块,其设置为在所述接收模块接收到所述 Preferably, the PS further includes a determining module configured to receive the at the receiving module
ILR发送的指示用户新位置的消息后, 判断用户位置是否发生变化, 如果发 生变化, 则通知发送模块向该用户当前位置所在的安全执行实体发送与该用 户相关的安全策略。 After the ILR sends a message indicating the new location of the user, it is determined whether the location of the user changes. If the change occurs, the notification sending module sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
较佳地, 所述安全执行实体包括: 安全网关 (SG )或者具有 SG功能的 ASR。  Preferably, the security enforcement entity includes: a security gateway (SG) or an ASR with an SG function.
本发明实施例通过结合身份标识和位置分离网络, 由 ILR根据 AID设置 查询用户位置信息, 在用户位置发生变化时, ILR可及时通知 PS向用户所在 位置的安全设备下发基于该用户 AID的安全策略, 利用用户接入标识(AID, Access Identification ) 的全网唯一性来进行基于用户的全网安全策略下发。 附图概述 The embodiment of the present invention combines the identity identification and the location separation network, and the ILR queries the user location information according to the AID setting. When the user location changes, the ILR can notify the PS to timely deliver the security based on the user AID to the security device at the location of the user. The policy uses the network-wide uniqueness of the user identification identifier (AID) to deliver the user-based network-wide security policy. BRIEF abstract
图 1示出了安全策略下发的示意图;  FIG. 1 is a schematic diagram of a security policy delivery;
图 2示出了 SILSN的系统架构图;  Figure 2 shows the system architecture diagram of the SILSN;
图 3示出了本发明实施例全网动态下发基于用户的安全策略的流程图; 图 4为本发明应用示例流程图;  FIG. 3 is a flowchart of dynamically transmitting a user-based security policy on the entire network according to an embodiment of the present invention; FIG. 4 is a flowchart of an application example of the present invention;
图 5为本发明实施例实现安全策略下发的系统结构示意图。  FIG. 5 is a schematic structural diagram of a system for implementing security policy delivery according to an embodiment of the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
考虑到身份标识和位置分离网络中用户接入标识( Access Identification, Considering the user identification identifier (Access Identification, in the identity and location separation network)
AID )具有全网唯一性, 这为全网动态下发安全策略创造了先决条件。 图 2 为身份标识和位置分离网络的架构图, 图中, 此身份标识和位置分离系统 ( Subscriber Identifier & Locator Separation Network, 简称 SILSN ) 由接入月良 务器(Access Service Router, ASR )和用户终端 (User Equipment, UE ) 、 身份标识和位置登记寄存器( Identification & Location Register, ILR ) 以及认 证中心(Authentication Center, AC )等组成。 其中接入服务器 ASRl和 ASR2 分别用来接入用户终端设备 UE1、 UE2, 负责为用户终端实现接入, 并承担 计费、 切换和安全等功能。 ILR承担用户的位置注册和身份识别功能。 AC承 担用户接入认证功能。 UE1和 UE2分别存在唯一的身份标识符 AID 1和 AID2。 AID) has the uniqueness of the whole network, which creates a prerequisite for the dynamic security policy of the whole network. Figure 2 is an architectural diagram of the identity and location separation network, in this figure, the identity and location separation system (Subscriber Identifier & Locator Separation Network, SILSN for short) is accessed by Access Service Router (ASR) and User Equipment (UE), Identity and Location Register (ILR), and Authentication Center (AC) and other components. The access servers ASR1 and ASR2 are respectively used to access the user terminal devices UE1 and UE2, and are responsible for implementing access for the user terminal, and performing functions such as charging, switching, and security. The ILR assumes the user's location registration and identification capabilities. The AC assumes the user access authentication function. UE1 and UE2 have unique identity identifiers AID 1 and AID2, respectively.
图 2所示网络有如下特征: 此网络内每个用户只有经过严格认证才能接 入, 用户在发送每个数据包时, 都同时携带自己的真实用户接入标识符 AID, 此符号仅分配给该用户使用且全网唯一, 用户在各种业务中所发送的数据包 都一直携带此标识符,用户发送的每个数据包都必须经过接入服务器 ASR验 证, 保证用户发出的数据包携带的是自己的接入身份标识, 不会假冒其他用 户 AID接入网络, 并且此标识符在网内传送时将一直保持不变, 当用户在移 动或切换时, 此标识符也不会发生变化。  The network shown in Figure 2 has the following characteristics: Each user in the network can only access after strict authentication. When sending each data packet, the user carries its own real user access identifier AID. This symbol is only assigned to The user uses and is unique to the entire network. The data packets sent by users in various services always carry this identifier. Each data packet sent by the user must be authenticated by the access server ASR to ensure that the data packets sent by the user are carried. It is its own access identity, it will not impersonate other users' AIDs to access the network, and this identifier will remain unchanged when transmitted within the network. This identifier will not change when the user moves or switches.
在图 2中, 用户 UE1和 UE2分别通过 ASR1和 ASR2接入网络, 并需要 经过 AC进行接入认证。认证成功之后, ASR会将用户的位置信息上报到 ILR。 ILR通知 PS ( Policy Server, 策略服务器), 告知用户的新位置的信息(例如 ASR的 RID ) , PS根据用户的新位置向对应的安全设备下发基于该用户的安 全策略。通过由 ILR观察用户的位置信息, 在 ASR向 ILR注册或者更新用户 的位置信息时, ILR通知 PS用户的新位置, 使 PS向用户当前所在新位置的 安全设备下发基于该用户的安全策略, 实现全网动态的基于用户的安全策略 下发机制。  In Figure 2, users UE1 and UE2 access the network through ASR1 and ASR2 respectively, and need to perform access authentication through the AC. After the authentication is successful, ASR will report the user's location information to the ILR. The ILR informs the PS (Policy Server) to inform the user of the new location information (for example, the RID of the ASR), and the PS delivers a security policy based on the user to the corresponding security device according to the new location of the user. By observing the location information of the user by the ILR, when the ASR registers with the ILR or updates the location information of the user, the ILR notifies the new location of the PS user, so that the PS sends a security policy based on the user to the security device in the new location where the user is currently located. A user-based security policy delivery mechanism that implements dynamic network dynamics.
下文中将结合附图对本发明的实施例进行详细说明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互任意组合。  Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
如图 3所示, 包括以下步骤:  As shown in Figure 3, the following steps are included:
步骤 301 , ILR在接收到 ASR发送的用户位置注册请求后, 向 PS发送指 示用户新位置的消息;  Step 301: After receiving the user location registration request sent by the ASR, the ILR sends a message indicating the new location of the user to the PS.
优选地, ILR在收到用户位置注册请求后, 还更新本地保存的所述用户 的接入标识与位置的映射关系。 步骤 302, PS接收到 ILR发送的指示用户新位置的消息后, 向该用户当 前位置所在的安全执行实体发送与该用户相关的安全策略。 Preferably, after receiving the user location registration request, the ILR also updates the mapping relationship between the locally stored access identifier and the location of the user. Step 302: After receiving the message sent by the ILR indicating the new location of the user, the PS sends a security policy related to the user to the security enforcement entity where the current location of the user is located.
具体地, PS在接收到 ILR发送的指示用户新位置的消息后, 记录该用户 当前的位置, 向该用户当前位置所在的安全执行实体发送与该用户相关的安 全策略。 该安全执行实体包括: SG或者该具有 SG功能的 ASR。  Specifically, after receiving the message sent by the ILR indicating the new location of the user, the PS records the current location of the user, and sends a security policy related to the user to the security enforcement entity where the current location of the user is located. The security enforcement entity includes: SG or the ASR with SG function.
通常 ILR都会在用户位置变化时将用户当前的位置发送给 PS, 但是, 为 了程序的优化, 优选地, PS接收到所述 ILR的消息后, 先判断用户位置是否 发生变化, 如果发生变化, 再向该用户当前位置所在的安全执行实体发送与 该用户相关的安全策略, 如果未发生变化, 则不发送。  Generally, the ILR sends the current location of the user to the PS when the user's location changes. However, for program optimization, preferably, after receiving the message of the ILR, the PS first determines whether the user location changes, and if a change occurs, Send the security policy related to the user to the security enforcement entity where the user's current location is located. If no change occurs, it will not be sent.
关于 SG和 ASR的关系, SG可以独立于 ASR部署, SG的功能也可以集 成在 ASR中。 如果 SG与 ASR分开部署, PS中需要维护一张 SG与 ASR之 间的关联表。 当用户移动到 ASR所在位置时, PS需要才艮据 ASR的位置, 找 到所述位置的 SG, 然后下发安全策略。  Regarding the relationship between SG and ASR, SG can be deployed independently of ASR, and the functions of SG can also be integrated into ASR. If the SG is deployed separately from the ASR, the PS needs to maintain an association table between the SG and the ASR. When the user moves to the location of the ASR, the PS needs to find the SG of the location according to the location of the ASR, and then issue a security policy.
应用示例 Application example
图 4所示为在身份与位置分离网络中下发安全策略的实施例。 用户先在 ASR1接入, PS ( Policy Server, 策略服务器) 向 SG(Security Gateway, 安全 网关) 1下发跟所述用户相关的安全策略。 当用户向 ASR2移动后, ILR通知 PS用户已移动到 ASR2, 则 PS向 SG2下发跟所述用户相关的安全策略, 同 时将 SG1上跟所述用户相关的安全策略删除。  Figure 4 shows an embodiment of a security policy issued in an identity and location separation network. The user first sends an ASR1 access, and the PS (Policy Server) sends a security policy related to the user to the SG (Security Gateway) 1. After the user moves to the ASR2, the ILR informs the PS that the user has moved to the ASR2, and the PS sends the security policy related to the user to the SG2, and deletes the security policy related to the user on the SG1.
图 4中, 安全设备 SG可以为独立设备, 也可以将安全设备的功能集成 在 ASR中。  In Figure 4, the security device SG can be a standalone device or integrate the functions of the security device into the ASR.
S400, 用户在 ASR1上线, ASR1向 ILR发送所述用户的位置注册请求; S400: The user goes online on the ASR1, and the ASR1 sends the location registration request of the user to the ILR.
S404, ILR收到用户的位置注册请求, 完成注册后向 ASR1发送位置注 册请求响应; S404, the ILR receives the location registration request of the user, and sends a location registration request response to the ASR1 after completing the registration;
S408, ILR通知 PS, 告知用户的位置, PS记录用户的位置;  S408, the ILR notifies the PS, informs the user of the location, and the PS records the location of the user;
S412, PS根据用户的位置,向用户所在位置的 SG1发送所述用户相关的 安全策略; S416, SGI接收用户相关的安全策略,并向 PS发送安全策略下发响应消 息; S412. The PS sends the user-related security policy to the SG1 where the user is located according to the location of the user. S416: The SGI receives a security policy related to the user, and sends a security policy to send a response message to the PS.
S420,用户从 ASR1移动到 ASR2, ASR2向 ILR发送用户位置注册请求; S420, the user moves from ASR1 to ASR2, and ASR2 sends a user location registration request to the ILR;
S424, ILR收到 ASR2发送的用户位置注册请求, 更新用户身份和位置 映射关系之后, 向 ASR2发送用户位置注册请求响应; S424. After receiving the user location registration request sent by the ASR2, updating the user identity and the location mapping relationship, the ILR sends a user location registration request response to the ASR2.
S428, ILR在更新完用户的身份和位置映射关系之后, 向 PS发送用户位 置变化的消息, 携带用户的新位置信息;  S428. After updating the identity and location mapping relationship of the user, the ILR sends a message of changing the location of the user to the PS, and carries the new location information of the user.
S432, PS收到用户位置变化消息, 与用户原有位置对比, 若发生变化, 则向用户新的位置所在的 SG2下发所述用户相关的安全策略;  S432, the PS receives the user location change message, and compares with the original location of the user. If the change occurs, the user sends the security policy related to the user to the SG2 where the user is located.
S436, SG2向 PS发送安全策略响应消息;  S436. The SG2 sends a security policy response message to the PS.
S440, PS向 SG1下发所述用户相关的安全策略删除命令;  S440, the PS sends the user-related security policy deletion command to the SG1.
S444, SG1向 PS发送命令响应。  S444, SG1 sends a command response to the PS.
上述流程完成用户从 ASR1上线, 然后移动到 ASR2上线的过程中, 所 述用户相关的安全策略的下发过程。  The above process completes the process of releasing the security policy related to the user during the process of the user going online from the ASR1 and then moving to the ASR2.
实现上述安全策略下发方法的系统,如图 5所示, 包括 ILR和 PS,其中: 所述 ILR, 设置为在接收到 ASR发送的用户位置注册请求后, 向 PS发 送指示用户新位置的消息; A system for implementing the foregoing security policy delivery method, as shown in FIG. 5, includes an ILR and a PS, where: the ILR is configured to send a message indicating a new location of the user to the PS after receiving the user location registration request sent by the ASR. ;
所述 PS ,设置为在接收到所述 ILR发送的所述指示用户新位置的消息后, 向该用户当前位置所在的安全执行实体发送与该用户相关的安全策略。  The PS is configured to, after receiving the message indicating the new location of the user sent by the ILR, send a security policy related to the user to the security enforcement entity where the current location of the user is located.
具体地, 上述 ILR包括第一接收模块和第一发送模块, 其中:  Specifically, the foregoing ILR includes a first receiving module and a first sending module, where:
第一接收模块, 设置为接收 ASR发送的用户位置注册请求;  a first receiving module, configured to receive a user location registration request sent by the ASR;
第一发送模块, 设置为在第一接收模块接收到用户位置注册请求过后, 向 PS发送指示用户新位置的消息。  The first sending module is configured to send a message indicating the new location of the user to the PS after the first receiving module receives the user location registration request.
优选地, 该 ILR还包括第一保存模块, 其设置为在第一接收模块收到用 户位置注册请求后,更新本地保存的所述用户的接入标识与位置的映射关系。  Preferably, the ILR further includes a first saving module, configured to update a mapping relationship between the locally stored access identifier and the location of the user after the first receiving module receives the user location registration request.
具体地, 上述 PS包括第二接收模块和第二发送模块, 其中: 第二接收模块, 设置为接收 ILR发送的指示用户新位置的消息; 第二发送模块, 设置为在第二接收模块接收到所述指示用户新位置的消 息后,向该用户当前位置所在的安全执行实体发送与该用户相关的安全策略。 Specifically, the foregoing PS includes a second receiving module and a second sending module, where: a second receiving module, configured to receive a message sent by the ILR to indicate a new location of the user; and a second sending module, configured to: after the second receiving module receives the message indicating the new location of the user, the security of the current location of the user The executing entity sends a security policy related to the user.
优选地,该 PS还包括第二保存模块,其设置为在第二接收模块接收到 ILR 发送的指示用户新位置的消息后, 记录用户当前的位置。  Preferably, the PS further includes a second saving module configured to record the current location of the user after the second receiving module receives the message sent by the ILR indicating the new location of the user.
优选地, 该 PS还包括判断模块, 其设置为在第二接收模块接收到 ILR 发送的指示用户新位置的消息后, 判断用户位置是否发生变化, 如果发生变 化, 则通知第二发送模块向该用户当前位置所在的安全执行实体发送与该用 户相关的安全策略。  Preferably, the PS further includes a determining module, configured to: after the second receiving module receives the message indicating the new location of the user sent by the ILR, determining whether the user location changes, and if the change occurs, notifying the second sending module to the The security enforcement entity where the user's current location is located sends the security policy associated with the user.
上述安全执行实体包括: SG或者具有 SG功能的 ASR。  The above security enforcement entities include: SG or ASR with SG function.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。 One of ordinary skill in the art will appreciate that all or a portion of the above steps may be accomplished by a program instructing the associated hardware, such as a read-only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware or in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
当然, 本发明还可有其他多种实施例, 在不背离本发明精神及其实质的 但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。  It is a matter of course that the invention may be embodied in various other forms and modifications without departing from the spirit and scope of the invention.
工业实用性 本发明实施例通过结合身份标识和位置分离网络, 由 ILR根据 AID设置 查询用户位置信息, 在用户位置发生变化时, ILR可及时通知 PS向用户所在 位置的安全设备下发基于该用户 AID的安全策略,利用用户 AID的全网唯一 性来进行基于用户的全网安全策略下发。 Industrial Applicability The embodiment of the present invention combines the identity identification and the location separation network, and the ILR queries the user location information according to the AID setting. When the user location changes, the ILR can promptly notify the PS to deliver the security device based on the location to the user. The security policy of the AID is based on the network-wide security policy of the user AID.

Claims

权 利 要 求 书 Claim
1、 一种安全策略下发方法, 包括:  1. A security policy delivery method, including:
身份标识和位置登记寄存器(ILR )在接收到接入服务器(ASR )发送的 用户位置注册请求后, 向策略服务器(PS )发送指示用户新位置的消息; 所述 PS接收到所述 ILR发送的所述指示用户新位置的消息后,向该用户 当前位置所在的安全执行实体发送与该用户相关的安全策略。  After receiving the user location registration request sent by the access server (ASR), the identity and location registration register (ILR) sends a message to the policy server (PS) indicating the new location of the user; the PS receives the ILR transmission After the message indicating the new location of the user, the security policy related to the user is sent to the security enforcement entity where the current location of the user is located.
2、 如权利要求 1所述的方法, 其中:  2. The method of claim 1 wherein:
所述 ILR在收到所述用户位置注册请求后, 所述方法还包括, 所述 ILR 更新本地保存的所述用户的接入标识与位置的映射关系。  After the ILR receives the user location registration request, the method further includes: the ILR updating a mapping relationship between the locally stored access identifier and the location of the user.
3、 如权利要求 1所述的方法, 其中:  3. The method of claim 1 wherein:
所述 PS接收到所述 ILR发送的所述指示用户新位置的消息后,所述方法 还包括:  After the PS receives the message indicating the new location of the user that is sent by the ILR, the method further includes:
所述 PS记录该用户当前的位置。  The PS records the current location of the user.
4、 如权利要求 1或 3所述的方法, 其中:  4. The method of claim 1 or 3, wherein:
所述 PS 向该用户当前位置所在的安全执行实体发送与该用户相关的安 全策略, 包括:  The PS sends a security policy related to the user to the security enforcement entity where the current location of the user is located, including:
所述 PS先判断用户位置是否发生变化,如果发生变化, 向该用户当前位 置所在的安全执行实体发送与该用户相关的安全策略。  The PS first determines whether the location of the user changes, and if a change occurs, sends a security policy related to the user to the security enforcement entity where the user is currently located.
5、 如权利要求 1所述的方法, 其中:  5. The method of claim 1 wherein:
所述安全执行实体包括: 安全网关 (SG )或者具有 SG功能的 ASR。 The security enforcement entity includes: a security gateway (SG) or an ASR with SG functionality.
6、 一种安全策略下发系统, 包括身份标识和位置登记寄存器(ILR )和 策略服务器(PS ) , 其中: 6. A security policy delivery system, including an identity and location registration register (ILR) and a policy server (PS), wherein:
所述 ILR设置为: 在接收到接入服务器 ( ASR )发送的用户位置注册请 求后, 向 PS发送指示用户新位置的消息;  The ILR is configured to: after receiving a user location registration request sent by an access server (ASR), send a message to the PS indicating a new location of the user;
所述 PS设置为:在接收到所述 ILR发送的所述指示用户新位置的消息后, 向该用户当前位置所在的安全执行实体发送与该用户相关的安全策略。 The PS is configured to: after receiving the message indicating the new location of the user sent by the ILR, send a security policy related to the user to the security execution entity where the current location of the user is located.
7、 如权利要求 6所述的系统, 其中: 7. The system of claim 6 wherein:
所述 PS还设置为:在接收到所述 ILR发送的所述指示用户新位置的消息 后, 记录用户当前的位置。  The PS is further configured to: record the current location of the user after receiving the message indicating the new location of the user sent by the ILR.
8、 如权利要求 6或 7所述的系统, 其中:  8. The system of claim 6 or 7, wherein:
所述 PS 是设置为釆用以下方式向该用户当前位置所在的安全执行实体 发送与该用户相关的安全策略: 先判断用户位置是否发生变化, 如果发生变 化,再向该用户当前位置所在的安全执行实体发送与该用户相关的安全策略。  The PS is configured to send a security policy related to the user to the security enforcement entity where the current location of the user is located in the following manner: first, determine whether the user location changes, and if there is a change, then the security of the current location of the user The executing entity sends a security policy related to the user.
9、 如权利要求 7或 8所述的系统, 其中:  9. The system of claim 7 or 8, wherein:
所述安全执行实体包括: 安全网关 (SG )或者具有 SG功能的 ASR。  The security enforcement entity includes: a security gateway (SG) or an ASR with SG functionality.
10、一种身份标识和位置登记寄存器( ILR ) , 包括接收模块和发送模块, 其中:  10. An identity and location register (ILR), comprising a receiving module and a transmitting module, wherein:
所述接收模块设置为: 接收接入服务器(ASR )发送的用户位置注册请 求;  The receiving module is configured to: receive a user location registration request sent by an access server (ASR);
所述发送模块设置为: 在所述接收模块接收到用户位置注册请求过后, 向策略服务器(PS )发送指示用户新位置的消息。  The sending module is configured to: after the receiving module receives the user location registration request, send a message indicating a new location of the user to the policy server (PS).
11、 如权利要求 10所述的 ILR, 其中:  11. The ILR of claim 10, wherein:
所述 ILR还包括保存模块, 其设置为在所述接收模块收到用户位置注册 请求后, 更新本地保存的所述用户的接入标识与位置的映射关系。  The ILR further includes a saving module configured to update a locally stored mapping relationship between the access identifier of the user and the location after the receiving module receives the user location registration request.
12、 一种策略服务器(PS ) , 包括接收模块和发送模块, 其中: 所述接收模块设置为: 接收身份标识和位置登记寄存器 ( ILR )发送的指 示用户新位置的消息;  12. A policy server (PS), comprising: a receiving module and a sending module, wherein: the receiving module is configured to: receive a message sent by an identity identifier and a location registration register (IRR) indicating a new location of the user;
所述发送模块设置为: 在所述接收模块接收到所述指示用户新位置的消 息后,向该用户当前位置所在的安全执行实体发送与该用户相关的安全策略。  The sending module is configured to: after the receiving module receives the message indicating the new location of the user, send a security policy related to the user to the security executing entity where the current location of the user is located.
13、 如权利要求 12所述的 PS, 其中:  13. The PS of claim 12, wherein:
所述 PS还包括保存模块, 其设置为: 在所述接收模块接收到所述 ILR 发送的指示用户新位置的消息后, 记录用户当前的位置。  The PS further includes a saving module, configured to: after the receiving module receives the message sent by the ILR indicating the new location of the user, record the current location of the user.
14、 如权利要求 12所述的 PS, 其中: 所述 PS还包括判断模块, 其设置为: 在所述接收模块接收到所述 ILR 发送的指示用户新位置的消息后, 判断用户位置是否发生变化, 如果发生变 化, 则通知发送模块向该用户当前位置所在的安全执行实体发送与该用户相 关的安全策略。 14. The PS of claim 12, wherein: The PS further includes a determining module, configured to: after the receiving module receives the message indicating the new location of the user sent by the ILR, determine whether the user location changes, and if the change occurs, notify the sending module to the user The security enforcement entity where the current location is located sends the security policy associated with the user.
15、 如权利要求 14所述的 PS, 其中:  15. The PS of claim 14 wherein:
所述安全执行实体包括: 安全网关 (SG )或者具有 SG功能的 ASR。  The security enforcement entity includes: a security gateway (SG) or an ASR with SG functionality.
PCT/CN2012/083791 2011-11-15 2012-10-31 Security policy delivery method and network element and system for implementing same WO2013071821A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110361684.4 2011-11-15
CN201110361684.4A CN103108302B (en) 2011-11-15 2011-11-15 A kind of security strategy delivery method and the network element and system for realizing this method

Publications (1)

Publication Number Publication Date
WO2013071821A1 true WO2013071821A1 (en) 2013-05-23

Family

ID=48315808

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/083791 WO2013071821A1 (en) 2011-11-15 2012-10-31 Security policy delivery method and network element and system for implementing same

Country Status (2)

Country Link
CN (1) CN103108302B (en)
WO (1) WO2013071821A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109429170A (en) * 2017-09-01 2019-03-05 中国移动通信有限公司研究院 A kind of call processing method, monitor supervision platform entity and computer readable storage medium

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150381658A1 (en) * 2014-06-30 2015-12-31 Mcafee, Inc. Premises-aware security and policy orchestration
CN106301901A (en) * 2016-08-09 2017-01-04 北京北信源软件股份有限公司 A kind of strategy distribution for terminal unit performs and update method
CN110943978A (en) * 2019-11-14 2020-03-31 光通天下网络科技股份有限公司 Security policy configuration method and device, electronic equipment and medium
CN111967000B (en) * 2020-08-18 2024-02-23 中国银行股份有限公司 Cross-border financial APP compliance monitoring method, device and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101099332A (en) * 2004-09-13 2008-01-02 Ut斯达康公司 Dynamic firewall capabilities for wireless access gateways
CN101123803A (en) * 2006-08-11 2008-02-13 华为技术有限公司 A processing method for status change of mobile station in associated reaction system
CN101730101A (en) * 2009-04-15 2010-06-09 中兴通讯股份有限公司 Realizing method, system and device for separating identify label from position

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101964778B (en) * 2009-07-24 2014-07-30 华为技术有限公司 Security assurance method and security management server of host identity tag

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101099332A (en) * 2004-09-13 2008-01-02 Ut斯达康公司 Dynamic firewall capabilities for wireless access gateways
CN101123803A (en) * 2006-08-11 2008-02-13 华为技术有限公司 A processing method for status change of mobile station in associated reaction system
CN101730101A (en) * 2009-04-15 2010-06-09 中兴通讯股份有限公司 Realizing method, system and device for separating identify label from position

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109429170A (en) * 2017-09-01 2019-03-05 中国移动通信有限公司研究院 A kind of call processing method, monitor supervision platform entity and computer readable storage medium

Also Published As

Publication number Publication date
CN103108302B (en) 2018-02-16
CN103108302A (en) 2013-05-15

Similar Documents

Publication Publication Date Title
CN109842906B (en) Communication method, device and system
KR101396042B1 (en) Dynamic host configuration and network access authentication
US8230480B2 (en) Method and apparatus for network security based on device security status
JP5811171B2 (en) COMMUNICATION SYSTEM, DATABASE, CONTROL DEVICE, COMMUNICATION METHOD, AND PROGRAM
EP3720100A1 (en) Service request processing method and device
US20060109850A1 (en) IP-SAN network access control list generating method and access control list setup method
JP2014503135A (en) COMMUNICATION SYSTEM, CONTROL DEVICE, POLICY MANAGEMENT DEVICE, COMMUNICATION METHOD, AND PROGRAM
WO2013071821A1 (en) Security policy delivery method and network element and system for implementing same
JP2005252717A (en) Network management method and server
US11641341B2 (en) System and method for remotely filtering network traffic of a customer premise device
CN102571811A (en) User access authority control system and method thereof
WO2014206152A1 (en) Network safety monitoring method and system
JP2008283495A (en) System and method for packet transfer
WO2013189130A1 (en) Communication system and communication method based on ad hoc network
WO2012075768A1 (en) Method and system for monitoring locator/identifier separation network
KR20150066401A (en) Data handling technique in the M2M Environment
WO2012075770A1 (en) Blocking method and system in an identity and location separation network
JP4094485B2 (en) User terminal connection control method and connection control server
CN117614752B (en) Double-layer zero-trust enterprise production network security ad hoc network method and system
JP2004357234A (en) Security management apparatus, security communication device, firewall setting method, firewall setting program, and firewall setting recording medium
CN110753055B (en) Source address authentication method based on SDN
WO2009039710A1 (en) Listening system and listening method of wimax network
Ma et al. A Service-Based Architecture
WO2012155584A1 (en) Authentication management method and system for network element device
WO2011072531A1 (en) Method and system for managing whole network shielding

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12850594

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12850594

Country of ref document: EP

Kind code of ref document: A1