WO2015127831A1 - Anti-intrusion method and access device - Google Patents

Anti-intrusion method and access device Download PDF

Info

Publication number
WO2015127831A1
WO2015127831A1 PCT/CN2015/070371 CN2015070371W WO2015127831A1 WO 2015127831 A1 WO2015127831 A1 WO 2015127831A1 CN 2015070371 W CN2015070371 W CN 2015070371W WO 2015127831 A1 WO2015127831 A1 WO 2015127831A1
Authority
WO
WIPO (PCT)
Prior art keywords
interface
access device
mode
message
network
Prior art date
Application number
PCT/CN2015/070371
Other languages
French (fr)
Chinese (zh)
Inventor
郭金亮
张连军
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015127831A1 publication Critical patent/WO2015127831A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/082Access security using revocation of authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Definitions

  • the embodiments of the present invention relate to the field of network technologies, and in particular, to a method for preventing intrusion and an access device.
  • the power business is divided into power generation, transmission, substation, dispatch, distribution, and power.
  • the distribution service and power service extend to roadsides and buildings, the security capability of the original power private network is seriously damaged.
  • the attacker can easily access the power distribution network and the power network.
  • the hacker can illegally access the power distribution network with the optical network unit (ONU) interface and the power network with the concentrator interface to invade and control.
  • Power distribution, power consumption networks, and even dispatching automation systems cause serious consequences such as serious power distribution, power consumption, and even power grid safety accidents.
  • Embodiments of the present invention provide a method for preventing intrusion to improve network security.
  • the first aspect provides a method for preventing intrusion, where the method is applied to an access device, where the access device includes an interface, and the interface is used by the terminal to access the network where the access device is located through the interface.
  • the method includes: the access device determines that a trigger event is satisfied, the trigger event is used to indicate that the access device is invaded at the interface; and the access device works on the interface
  • the mode is set to a lockout mode, which is used to prevent any terminal from accessing the network in which the access device is located through the interface.
  • the access device has an interface state monitoring function
  • the triggering The event includes: changing the state of the interface from UP to DOWN, or The operation mode of the port is the operation mode, and the duration of the interface is DOWN exceeds a preset threshold, or the access device is restarted; when the access device starts the interface state monitoring function, the trigger event includes : The status of the interface is DOWN.
  • the method further includes: the access device generates a first message, where the A message is used to indicate that the working mode of the interface is a blocking mode; the access device sends the first message to a network management system.
  • the method further includes: Receiving, by the access device, the second message sent by the network management system, where the second message is used to instruct the access device to switch the working mode of the interface to an operating mode; The second message switches the working mode of the interface to the running mode.
  • the method further includes: the access device receiving, sending, by the network management system The third message is used to indicate that the interface needs to be debugged; and the access device switches the working mode of the interface to the debugging mode according to the third message.
  • a second aspect provides an access device, where the access device includes an interface, where the interface is used by the terminal to access the network where the access device is located, where the access device includes: Means for determining that a triggering event is used, the triggering event is used to indicate that the access device is invaded at the interface; and a setting unit is configured to set an operating mode of the interface to a blocking mode, The blocking mode is used to prevent any terminal from accessing the network where the access device is located through the interface.
  • the access device has an interface state monitoring function
  • the triggering The event includes: the status of the interface is changed from UP to DOWN, or the working mode of the interface is in the running mode, and the duration of the interface is DOWN exceeds a preset threshold, or the access device is restarted;
  • the triggering event includes: the state of the interface is DOWN.
  • the access device further includes: a generating unit, configured to generate the first The first message is used to indicate that the working mode of the interface is a blocking mode, and the sending unit is configured to send the first message generated by the generating unit to a network management system.
  • the access device further includes: a receiving unit, configured to receive the second sent by the network management system a message, the second message is used to indicate that the access device switches the working mode of the interface to an operating mode, and the setting unit is further configured to: according to the second message received by the receiving unit, The working mode of the interface is switched to the operating mode.
  • the receiving unit is further configured to receive the third sent by the network management system a message, the third message is used to indicate that the interface needs to be debugged, and the setting unit is further configured to switch the working mode of the interface to a debugging mode according to the third message received by the receiving unit.
  • a third aspect provides an access device, where the access device includes an interface, where the terminal is used to access the network where the access device is located, and the access device further includes a processor and a memory.
  • the memory is used to store program code
  • the processor is configured to read program code in the memory, and execute: determining to satisfy a trigger event, wherein the trigger event is used to indicate that the access device is invaded at the interface.
  • the working mode of the interface is set to a blocking mode, which is used to prevent any terminal from accessing the network where the access device is located through the interface.
  • the access device has an interface state monitoring function
  • the triggering event includes: The state of the interface is changed from UP to DOWN, or the working mode of the interface is in the running mode, and the duration of the interface is DOWN exceeds a preset threshold, or the access device is restarted;
  • the triggering event includes: the state of the interface is DOWN.
  • the access device further includes a sending circuit, where the sending circuit is configured by using the The port in the device is in communication with the network management system, the processor is further configured to generate a first message, where the first message is used to indicate that the working mode of the interface is a latching mode, and the sending circuit is configured to The first message generated by the processor is sent to the network management system.
  • the access device further includes a receiving circuit, wherein the receiving circuit communicates with the network management system by using a port in the access device, where the receiving circuit is configured to receive the sending by the network management system a second message, the second message is used to indicate that the access device switches the working mode of the interface to an operating mode, and the processor is further configured to: according to the second message received by the receiving circuit, Switch the operating mode of the interface to the operating mode.
  • the receiving circuit is further configured to receive the third sent by the network management system, in a fourth possible implementation manner of the third aspect, a message, the third message is used to indicate that the interface needs to be debugged, and the processor is further configured to switch the working mode of the interface to a debugging mode according to the third message received by the receiving circuit.
  • the access device in the embodiment of the present invention includes at least one interface.
  • the working mode of the interface is set to The blocking mode can prevent any terminal from accessing the network where the access device is located through the interface, thereby improving the security of the network where the access device is located.
  • the access device performs the foregoing processing on each of the at least one interface to prevent any terminal from communicating with the access device or a superior network device of the access device, which can effectively prevent hacker connection. Into, protect the security of the network.
  • FIG. 1 is a schematic diagram of a scenario of an embodiment of the present invention.
  • FIG. 2 is a flow chart of a method for preventing intrusion according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of switching between modes of operation of an interface in accordance with an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a method for preventing intrusion according to an embodiment of the present invention.
  • FIG. 5 is a block diagram of an access device in accordance with one embodiment of the present invention.
  • FIG. 6 is a block diagram of an access device in accordance with another embodiment of the present invention.
  • the access device may be a power-dedicated communication device, such as an ONU or a concentrator.
  • the access device can also be other communication devices, such as a switch or router or Customer Premises Equipment (CPE).
  • CPE Customer Premises Equipment
  • the access device may also be another access device connected to the terminal, which is not limited by the present invention.
  • the terminal connected to the access device may be a user terminal, or may be a hub, or may be another type of terminal, which is not limited by the present invention.
  • FIG. 1 is a schematic diagram of a scenario of an embodiment of the present invention.
  • the scenario shown in FIG. 1 includes an access device 100 having multiple interfaces.
  • the access device 100 shown in FIG. 1 has six interfaces, respectively, as shown in FIG.
  • a first terminal 110 that communicates with the access device via interface 106.
  • the number of interfaces of the access device is not limited in the embodiment of the present invention.
  • the access device in FIG. 1 has six interfaces, which are only schematic.
  • the access device in the embodiment of the present invention further has a central processing unit, a port for connecting to the network management system, and other components and the like, which are not shown in FIG.
  • the invention is not limited thereto.
  • FIG. 2 is a flow chart of a method for preventing intrusion according to an embodiment of the present invention.
  • the method shown in Figure 2 is performed by an access device, where the access device includes an interface, and the interface is used by the terminal to access the network where the access device is located.
  • the method of Figure 2 includes:
  • the access device in the embodiment of the present invention includes at least one interface.
  • the working mode of the interface is set to Blocking mode, which can prevent any terminal from accessing the access through the interface
  • Blocking mode which can prevent any terminal from accessing the access through the interface
  • the network where the device is located improves the security of the network where the access device is located.
  • the access device performs the foregoing processing on each of the at least one interface to prevent any terminal from communicating with the access device or a superior network device of the access device, which can effectively prevent hacker connection. Into, protect the security of the network.
  • the access device includes an interface, and the state of the interface is UP or DOWN.
  • the status of the interface is UP. It can be understood that the first terminal connects to the access device through the interface and performs communication.
  • the status of the interface is DOWN. It can be understood that the interface is idle. No terminal connects to the access device through the interface.
  • the communication in the embodiment of the present invention may be performed by communicating with the access device, or may be in communication with other devices in the network where the access device is located, which is not limited by the present invention.
  • the status of the interface changes from UP to DOWN. It can be understood that the relationship between the first terminal and the access device changes from the connected state to the disconnected state on the interface.
  • the state of the interface changes from DOWN to UP. It can be understood that the interface starts to be idle, and then the first terminal connects to the access device through the interface and performs communication.
  • the working mode of the interface is a debugging mode, or an operating mode, or a blocking mode. As shown in Figure 3.
  • the status of the interface may be UP or DOWN. Specifically, when the working mode of the interface is the running mode and the state of the interface is DOWN, the interface may also be called UP. The interface can be up, and the current state of the interface is DOWN.
  • the second terminal attempts to connect to the access device through the interface, the second terminal can access the network where the access device is located and communicate.
  • the second terminal may be the first terminal, or may be any other terminal different from the first terminal.
  • the interface can also be said to be unreturnable.
  • the interface cannot be up. It can be understood that the current state of the interface is DOWN.
  • the access device does not allow any terminal to communicate through the interface.
  • the access device may have an interface state monitoring function, and the access device is connected.
  • the port status monitoring function can be used to monitor the status change of each interface of the access device.
  • the access device may be in the deployment phase or in the operational phase.
  • the interface status monitoring function of the access device is disabled. This facilitates the deployment and debugging of the access device.
  • the interface state monitoring function of the access device is enabled.
  • the interface state monitoring function of the access device can be disabled at the same time.
  • the interface state monitoring function of the access device can be enabled at the same time.
  • the interface state monitoring function of the access device is turned off, and the working modes of all the interfaces of the access device are in the debugging mode.
  • the interface state monitoring function of the access device is enabled, and the working mode of the interface of the access device is the running mode or the blocking mode.
  • the access device is in the deployment phase, and the working mode of the interface is the debug mode.
  • the working mode of the interface is the running mode or the blocking mode.
  • the triggering event in 201 may be: the state of the interface changes from UP to DOWN, or the working mode of the interface is the running mode, and The time when the interface is Down is longer than the preset threshold, or the access device is restarted.
  • the trigger event is: the state of the interface changes from UP to DOWN. It can be understood that the state of the interface changes from UP to DOWN when the working mode of the interface is the running mode.
  • the triggering event is: the access device is restarted, and the interface can be understood as any interface of the access device.
  • the embodiment of the present invention does not limit the size of the preset threshold.
  • the preset threshold may be 10 minutes, or may be 1 hour, or may be other sizes, which is not limited by the present invention.
  • 201 and 202 are performed while the access device is in the running phase. Alternatively, it can be understood that 201 and 202 are performed when the access device has enabled the interface state monitoring function. At this time, in 202, the access device sets the working mode of the interface from the running mode to the blocking mode according to the triggering event. As shown in 301 in FIG.
  • the triggering event in 201 may also be: the state of the interface of the access device is DOWN.
  • the trigger event is: when the access device switches from the deployment phase to the running phase, the state of the interface is DOWN.
  • 201 and 202 are executed when the access device starts the interface state monitoring function. In other words, 201 and 202 are executed when the access device switches from the deployment phase to the running phase. At this time, the access device in 202 switches the working mode of the interface from the debug mode to the lock mode. As shown by 302 in FIG.
  • the access device may also generate a first message, or the access device may also set the working mode of the interface to be blocked at 202.
  • the first message is generated simultaneously with the mode, or the access device may also generate the first message before 202.
  • the invention is not limited thereto.
  • the first message is used to indicate that the working mode of the interface of the access device is a locked mode.
  • the further access device can send the first message to a Network Management System.
  • the network management system may be a server installed with network management software, a personal computer (PC) installed with network management software, or other devices having network management functions, and the present invention This is not limited.
  • the network management system can learn the change of the working mode of the interface of the access device, so that the network management system performs further processing according to the first message.
  • the network management system may present the information indicated by the first message to the user.
  • the interface number of the interface can be presented on the display interface of the server or PC on which the network management software is installed.
  • the user can check the interface based on the presented information. If the user confirms that the interface has been illegally hacked, the user does not perform further unlocking operations, and still maintains the working mode of the interface as the blocking mode. If the user confirms that the interface is in the DOWN state for a long time and does not need any terminal to access the access device through the interface for a period of time, the user may not perform further unlocking operations and still maintain the working of the interface.
  • the mode is the lockout mode.
  • the terminal that normally accesses the access device herein may refer to a terminal that the user can identify and permit to access the access device.
  • the user can switch the working mode of the interface to the running mode through the network management system.
  • the user can make a first input, and the network management system generates a second message according to the first input, and sends the second message to the access device. Further, the access device receives the second message sent by the network management system, where the second message is used to instruct the access device to switch the working mode of the interface to the operating mode, and according to the second message, the access device The working mode of the interface is switched to the operating mode. As shown at 303 in FIG.
  • the user can switch the working mode of the interface to the running mode by using the second message in time to ensure that the terminal is connected to the access device and the access device through the interface. Normal communication between devices.
  • the user can switch the working mode of the interface to the debugging mode through the network management system.
  • the user may perform a second input, and the network management system generates a third message according to the second input, and sends the third message to the access device. Further, the access device receives the third message sent by the network management system, and switches the working mode of the interface to the debugging mode according to the third message.
  • the third message is used to indicate that the interface of the access device needs to be debugged.
  • the access device can disable the interface state monitoring function of the access device while switching the working mode of the interface to the debugging mode.
  • the access device switches the access device from the running phase to the deployment phase while switching the working mode of the interface to the debugging mode, and monitors the interface state of the access device. Can close. That is to say, the working mode of all interfaces of the access device is switched to the debugging mode at the same time. As shown at 304 in FIG.
  • the access device may open an interface state monitoring function of the access device, and switch the working mode of the interface from the debugging mode to the running mode or the blocking mode.
  • the user may perform a third input, and the network management system generates a fourth message according to the third input, and sends the fourth message to the access device. Further, the access device receives the fourth message sent by the network management system, starts the interface state monitoring function of the access device according to the fourth message, and switches the working mode of the interface to the operating mode or the blocking mode.
  • the access device when the interface device monitor function is enabled, the access device also switches the access device from the deployment phase to the operation phase.
  • the access device starts the interface state monitoring function of the access device after the debugging, and determines that the interface meets the triggering event, the state of the interface is DOWN, then the access device starts the access device after debugging.
  • the interface status monitoring function is enabled, the working mode of the interface is switched to the blocking mode. As shown by 302 in FIG.
  • the access device starts the interface state monitoring function of the access device after the debugging
  • the state of the interface is UP, that is, at the interface, the terminal that the user can identify and permit access to the access device is accessed.
  • the working mode of the interface is switched to the operating mode. As shown at 305 in FIG.
  • the embodiment of the present invention can implement the switching between the working mode, the debugging mode, and the blocking mode of the interface of the access device.
  • FIG. 4 is a schematic flowchart of a method for preventing intrusion according to an embodiment of the present invention. It is assumed that the access device is in the running phase, that is, the interface device monitoring function is enabled on the access device. The method shown in Figure 4 includes:
  • the access device determines that the state of the interface changes from UP to DOWN.
  • connection of a certain terminal that communicates with the access device through the interface is disconnected from the access device.
  • the working mode of the interface is the running mode, the state of the interface changes from UP to DOWN.
  • the interface can be any interface of the access device.
  • the access device 100 detects that the state of the interface 106 changes from UP to DOWN.
  • the access device sets the working mode of the interface to a blocking mode. And execute 403.
  • access device 100 switches the mode of operation of interface 106 from an operational mode to a locked mode.
  • the access device generates a first message. And execute 404.
  • the first message is used to indicate that the working mode of the interface is a blocking mode.
  • the access device sends the first message generated by 403 to the network management system.
  • the access device receives a second message sent by the network management system, where the second message is used to indicate that the access device switches the working mode of the interface to an operating mode. And execute 406.
  • the access device switches the working mode of the interface to an operating mode.
  • the working mode of the interface is switched from the blocking mode to the running mode, which can ensure the normal use of the interface.
  • Figure 4 is only one embodiment of the present invention. Other embodiments that can be obtained by those skilled in the art without the inventive work on the basis of this embodiment are within the scope of the present invention.
  • the working mode of the interface is set to the blocking mode, which can prevent unauthorized access to the access device through the interface, thereby effectively protecting the security of the network.
  • the access device 100 shown in FIG. 1 it is assumed that the access device 100 is initially in the deployment phase, at which time the interface state monitoring function of the access device 100 is closed, and at this time, the interface 101 to the interface 106 of the access device 100
  • the working mode is debug mode.
  • the access device 100 switches from the deployment phase to the operation phase, and simultaneously starts the interface state monitoring of the access device 100.
  • the function is controlled, it is determined that the state of the interface 101 to the interface 105 is DOWN, and the working modes of the interface 101 to the interface 105 are all switched to the blocking mode.
  • the state of the interface 106 is UP, and the working mode of the interface 106 is switched to the operating mode.
  • the first terminal 110 can communicate with the access device 100 through the interface 106, and can further access the interface 106.
  • the upper network device of device 100 communicates.
  • the access device 100 sets all the working modes of the interface 101-interface 106 to the blocking mode. Specifically, at the second moment, the access device 100 maintains the operating mode of the interface 101 to the interface 105 as a blocking mode, and switches the operating mode of the interface 106 from the operating mode to the blocking mode. Further, under the instruction of the network management system, the access device 100 can switch the working mode of the interface 106 to the operating mode, so that the first terminal 110 connected to the access device 100 through the interface 106 can perform with the access device 100. Normal communication.
  • the access device 100 can also switch the operating mode of one or more of the interfaces 101 to 105 to the operating mode under the direction of the network management system.
  • the network management system can instruct the access device 100 to switch the operating mode of the interface 103 to the operating mode so that the licensed second terminal normally accesses the access device.
  • the access device 100 switches the working mode of the interface 103 to the operating mode, the state of the interface 103 is still DOWN after the preset threshold is exceeded, and the access device 100 can switch the working mode of the interface 103 to the blocking mode. . It can also be understood that the access device 100 switches the state of the interface 103 from UP to non-UP.
  • the access device 100 finds that the first terminal 110 is disconnected from the access device 100 through the interface 106, that is, the state of the interface 106 changes from UP to DOWN, the access device 100 operates the interface 106 at this time. The mode is switched to the lockout mode.
  • the access device in the embodiment of the present invention includes at least one interface, and when the access device determines that the access device is in the intrusion risk at the interface in the at least one interface, setting the working mode of the interface to the blocking mode, Blocking any terminal from accessing the access device through the interface further prevents any terminal from communicating with the access device or with the upper-level network device of the access device, thereby effectively preventing hackers from invading at the physical level.
  • the method of the embodiment of the present invention is implemented on the product side without additional equipment, and can effectively save costs.
  • FIG. 5 is a block diagram of an access device in accordance with one embodiment of the present invention.
  • the access device 500 shown in FIG. 5 includes an interface for the terminal to access the network where the access device 500 is located.
  • the access device 500 includes a determining unit 501 and a setting unit 502.
  • the determining unit 501 is configured to determine that a triggering event is used, and the triggering event is used to indicate that the access device 500 is at risk of being invaded at the interface.
  • the setting unit 502 is configured to, if the determining unit 501 determines that the trigger event is satisfied, set the working mode of the interface to a blocking mode, where the blocking mode is used to prevent any terminal from accessing the network where the access device 500 is located through the interface.
  • the access device in the embodiment of the present invention includes at least one interface.
  • the working mode of the interface is set to The blocking mode can prevent any terminal from accessing the network where the access device is located through the interface, thereby improving the security of the network where the access device is located.
  • the access device performs the foregoing processing on each of the at least one interface to prevent any terminal from communicating with the access device or a superior network device of the access device, which can effectively prevent hacker connection. Into, protect the security of the network.
  • the access device 500 has an interface status monitoring function.
  • the triggering event includes: changing the state of the interface from UP to DOWN, or the working mode of the interface is an operating mode, and the interface is in the DOWN state.
  • the duration exceeds a preset threshold, or the access device 500 restarts.
  • the triggering event includes: the state of the interface is DOWN.
  • the access device 500 further includes a generating unit 503 and a sending unit 504.
  • the generating unit 503 is configured to generate a first message, where the first message is used to indicate that the working mode of the interface is a blocking mode.
  • the sending unit 504 is configured to send the first message generated by the generating unit 503 to the network management system.
  • the access device 500 further includes a receiving unit 505.
  • the receiving unit 505 is configured to receive a second message sent by the network management system, where the second message is used to instruct the access device 500 to switch the working mode of the interface to an operating mode.
  • the setting unit 502 is further configured to switch the working mode of the interface to the operating mode according to the second message received by the receiving unit 505.
  • the receiving unit 505 is further configured to receive a third message sent by the network management system, where the third message is used to indicate that the interface needs to be debugged.
  • the setting unit 502 is further configured to switch the working mode of the interface to the debugging mode according to the third message received by the receiving unit 505.
  • the access device 500 can implement the various implementations implemented by the access device in the embodiments of Figures 2 and 4. To avoid repetition, I will not repeat them here.
  • the access device 600 in FIG. 6 includes an interface for the terminal to access the network where the access device 600 is located.
  • the access device 600 includes a processor 601, a receiving circuit 602, a sending circuit 603, and a memory 604. .
  • the receiving circuit 602 and the transmitting circuit 603 communicate with the network management system through ports in the access device 600.
  • the memory 604 is configured to store program code
  • the processor 601 is configured to read the program code in the memory 604 and execute:
  • the working mode of the interface is set to a blocking mode, and the blocking mode is used to prevent any terminal from accessing the network where the access device 600 is located through the interface.
  • the access device in the embodiment of the present invention includes at least one interface.
  • the working mode of the interface is set to The blocking mode can prevent any terminal from accessing the network where the access device is located through the interface, thereby improving the security of the network where the access device is located.
  • the access device performs the foregoing processing on each of the at least one interface to prevent any terminal from communicating with the access device or a superior network device of the access device, which can effectively prevent hacker connection. Into, protect the security of the network.
  • bus system 605 which in addition to the data bus includes a power bus, a control bus, and a status signal bus.
  • bus system 605 various buses are labeled as bus system 605 in FIG.
  • Processor 601 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 601 or an instruction in a form of software.
  • the processor 601 may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA), or the like. Programmable logic devices, discrete gates or transistor logic devices, discrete hardware components.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA Field Programmable Gate Array
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like. Knot The steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a random access memory (RAM), a flash memory, a read-only memory (ROM), a programmable read only memory or an electrically erasable programmable memory, a register, and the like. in.
  • the storage medium is located in the memory 604, and the processor 601 reads the information in the memory 604 and completes the steps of the above method in combination with its hardware.
  • the access device 600 has an interface status monitoring function.
  • the triggering event includes: changing the state of the interface from UP to DOWN, or the working mode of the interface is an operating mode, and the interface is in the DOWN state.
  • the duration exceeds a preset threshold, or the access device 600 restarts.
  • the triggering event includes: the state of the interface is DOWN.
  • the processor 601 is further configured to generate a first message, where the first message is used to indicate that the working mode of the interface is a blocking mode.
  • the transmitting circuit 603 is configured to send the first message generated by the processor 601 to the network management system.
  • the receiving circuit 602 is configured to receive a second message sent by the network management system, where the second message is used to instruct the access device 600 to switch the working mode of the interface to an operating mode.
  • the processor 601 is further configured to switch the working mode of the interface to the operating mode according to the second message received by the receiving circuit 602.
  • the receiving circuit 602 is further configured to receive a third message sent by the network management system, where the third message is used to indicate that the interface needs to be debugged.
  • the processor 601 is further configured to switch the working mode of the interface to the debugging mode according to the third message received by the receiving circuit 602.
  • the access device 600 can implement various processes implemented by the access device in the embodiments of FIG. 2 and FIG. 4, and details are not described herein again to avoid repetition.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes various media that can store program codes, such as a USB flash drive, a mobile hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Provided in an embodiment of the present invention are an anti-intrusion method and access device comprising an interface, the method comprising: when an access device determines that a triggering event is satisfied, the access device sets the working mode of the interface to locked mode to prevent any terminal from accessing the network of the access device via the interface. The access device of the embodiment of the present invention comprises at least one interface. For any one of the interfaces, when the access device determines an intrusion risk of the access device at the interface, the access device sets the working mode of the interface to locked mode to prevent any terminal from accessing the network of the access device via that interface, thus improving the security of the network of the access device. Further, the access device conducts the above processing on each of the at least one interfaces to prevent any terminal from communicating with the access device or with the superior network device of the access device, thus effectively preventing hacker invasion and protecting network security.

Description

防范入侵的方法及接入设备Method for preventing intrusion and access device
本申请要求于2014年2月28日提交中国专利局、申请号为201410070449.5、发明名称为“防范入侵的方法及接入设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201410070449.5, filed on February 28, 2014, the disclosure of which is incorporated herein by reference. in.
技术领域Technical field
本发明实施例涉及网络技术领域,并且更具体地,涉及一种防范入侵的方法及接入设备。The embodiments of the present invention relate to the field of network technologies, and in particular, to a method for preventing intrusion and an access device.
背景技术Background technique
电力业务分为发电、输电、变电、调度、配电、用电几个环节,随着配电业务和用电业务延伸到路边和楼宇,严重破坏了原有电力专网的安全能力。攻击者很容易触及配电网络和用电网络,黑客可以通过非法手段接入具有光网络单元(Optical Network Unit,ONU)接口的配电网络、具有集中器接口的用电网络,从而入侵并控制配电、用电网络,甚至调度自动化系统,造成严重的配电、用电、甚至电网的安全事故等恶劣后果。The power business is divided into power generation, transmission, substation, dispatch, distribution, and power. As the distribution service and power service extend to roadsides and buildings, the security capability of the original power private network is seriously damaged. The attacker can easily access the power distribution network and the power network. The hacker can illegally access the power distribution network with the optical network unit (ONU) interface and the power network with the concentrator interface to invade and control. Power distribution, power consumption networks, and even dispatching automation systems cause serious consequences such as serious power distribution, power consumption, and even power grid safety accidents.
发明内容Summary of the invention
本发明实施例提供一种防范入侵的方法,用以改善网络的安全性。Embodiments of the present invention provide a method for preventing intrusion to improve network security.
第一方面,提供了一种防范入侵的方法,所述方法应用于接入设备,所述接入设备包括接口,所述接口用于终端通过所述接口接入所述接入设备所在的网络,所述方法包括:所述接入设备确定满足触发事件,所述触发事件用于表示在所述接口处所述接入设备存在被入侵的风险;所述接入设备将所述接口的工作模式设置为闭锁模式,所述闭锁模式用于阻止任何终端通过所述接口接入所述接入设备所在的网络。The first aspect provides a method for preventing intrusion, where the method is applied to an access device, where the access device includes an interface, and the interface is used by the terminal to access the network where the access device is located through the interface. The method includes: the access device determines that a trigger event is satisfied, the trigger event is used to indicate that the access device is invaded at the interface; and the access device works on the interface The mode is set to a lockout mode, which is used to prevent any terminal from accessing the network in which the access device is located through the interface.
结合第一方面,在第一方面的第一种可能的实现方式中,所述接入设备具有接口状态监控功能,当确定所述接入设备已开启所述接口状态监控功能时,所述触发事件包括:所述接口的状态从UP变为DOWN,或者,所述接 口的工作模式为运行模式、且所述接口处于DOWN的时长超过预设阈值,或者,所述接入设备重启;在所述接入设备开启所述接口状态监控功能时,所述触发事件包括:所述接口的状态为DOWN。With reference to the first aspect, in a first possible implementation manner of the first aspect, the access device has an interface state monitoring function, and when the determining that the access device has enabled the interface state monitoring function, the triggering The event includes: changing the state of the interface from UP to DOWN, or The operation mode of the port is the operation mode, and the duration of the interface is DOWN exceeds a preset threshold, or the access device is restarted; when the access device starts the interface state monitoring function, the trigger event includes : The status of the interface is DOWN.
结合第一方面或者第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,所述方法还包括:所述接入设备生成第一消息,所述第一消息用于指示所述接口的工作模式为闭锁模式;所述接入设备将所述第一消息发送至网络管理系统。With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the method further includes: the access device generates a first message, where the A message is used to indicate that the working mode of the interface is a blocking mode; the access device sends the first message to a network management system.
结合第一方面的第二种可能的实现方式,在第一方面的第三种可能的实现方式中,在所述接入设备将所述第一消息发送至网络管理系统之后,还包括:所述接入设备接收所述网络管理系统发送的第二消息,所述第二消息用于指示所述接入设备将所述接口的工作模式切换为运行模式;所述接入设备根据所述第二消息,将所述接口的工作模式切换为运行模式。In conjunction with the second possible implementation of the first aspect, in a third possible implementation manner of the first aspect, after the access device sends the first message to the network management system, the method further includes: Receiving, by the access device, the second message sent by the network management system, where the second message is used to instruct the access device to switch the working mode of the interface to an operating mode; The second message switches the working mode of the interface to the running mode.
结合第一方面或者上述第一方面的任一种可能的实现方式,在第一方面的第四种可能的实现方式中,所述方法还包括:所述接入设备接收所述网络管理系统发送的第三消息,所述第三消息用于指示所述接口需要被调试;所述接入设备根据所述第三消息,将所述接口的工作模式切换为调试模式。With reference to the first aspect, or any one of the foregoing possible implementation manners, in a fourth possible implementation manner of the foregoing aspect, the method further includes: the access device receiving, sending, by the network management system The third message is used to indicate that the interface needs to be debugged; and the access device switches the working mode of the interface to the debugging mode according to the third message.
第二方面,提供了一种接入设备,所述接入设备包括接口,所述接口用于终端通过所述接口接入所述接入设备所在的网络,所述接入设备包括:确定单元,用于确定满足触发事件,所述触发事件用于表示在所述接口处所述接入设备存在被入侵的风险;设置单元,用于将所述接口的工作模式设置为闭锁模式,所述闭锁模式用于阻止任何终端通过所述接口接入所述接入设备所在的网络。A second aspect provides an access device, where the access device includes an interface, where the interface is used by the terminal to access the network where the access device is located, where the access device includes: Means for determining that a triggering event is used, the triggering event is used to indicate that the access device is invaded at the interface; and a setting unit is configured to set an operating mode of the interface to a blocking mode, The blocking mode is used to prevent any terminal from accessing the network where the access device is located through the interface.
结合第二方面,在第二方面的第一种可能的实现方式中,所述接入设备具有接口状态监控功能,当确定所述接入设备已开启所述接口状态监控功能时,所述触发事件包括:所述接口的状态从UP变为DOWN,或者,所述接口的工作模式为运行模式、且所述接口处于DOWN的时长超过预设阈值,或者,所述接入设备重启;在所述接入设备开启所述接口状态监控功能时,所述触发事件包括:所述接口的状态为DOWN。With reference to the second aspect, in a first possible implementation manner of the second aspect, the access device has an interface state monitoring function, and when the determining that the access device has enabled the interface state monitoring function, the triggering The event includes: the status of the interface is changed from UP to DOWN, or the working mode of the interface is in the running mode, and the duration of the interface is DOWN exceeds a preset threshold, or the access device is restarted; When the access device starts the interface state monitoring function, the triggering event includes: the state of the interface is DOWN.
结合第二方面或者第二方面的第一种可能的实现方式,在第二方面的第二种可能的实现方式中,所述接入设备还包括:生成单元,用于生成第一消 息,所述第一消息用于指示所述接口的工作模式为闭锁模式;发送单元,用于将所述生成单元生成的所述第一消息发送至网络管理系统。With reference to the second aspect, or the first possible implementation manner of the second aspect, in the second possible implementation manner of the second aspect, the access device further includes: a generating unit, configured to generate the first The first message is used to indicate that the working mode of the interface is a blocking mode, and the sending unit is configured to send the first message generated by the generating unit to a network management system.
结合第二方面的第二种可能的实现方式,在第二方面的第三种可能的实现方式中,所述接入设备还包括:接收单元,用于接收所述网络管理系统发送的第二消息,所述第二消息用于指示所述接入设备将所述接口的工作模式切换为运行模式;所述设置单元,还用于根据所述接收单元接收的所述第二消息,将所述接口的工作模式切换为运行模式。With reference to the second possible implementation of the second aspect, in a third possible implementation manner of the second aspect, the access device further includes: a receiving unit, configured to receive the second sent by the network management system a message, the second message is used to indicate that the access device switches the working mode of the interface to an operating mode, and the setting unit is further configured to: according to the second message received by the receiving unit, The working mode of the interface is switched to the operating mode.
结合第二方面或者上述第二方面的任一种可能的实现方式,在第二方面的第四种可能的实现方式中,所述接收单元,还用于接收所述网络管理系统发送的第三消息,所述第三消息用于指示所述接口需要被调试;所述设置单元,还用于根据所述接收单元接收的所述第三消息,将所述接口的工作模式切换为调试模式。With reference to the second aspect, or any one of the foregoing possible implementation manners, in the fourth possible implementation manner of the second aspect, the receiving unit is further configured to receive the third sent by the network management system a message, the third message is used to indicate that the interface needs to be debugged, and the setting unit is further configured to switch the working mode of the interface to a debugging mode according to the third message received by the receiving unit.
第三方面,提供了一种接入设备,所述接入设备包括接口,该接口用于终端通过该接口接入该接入设备所在的网络,所述接入设备还包括处理器和存储器,其中:所述存储器用于存储程序代码;所述处理器用于读取存储器中的程序代码,执行:确定满足触发事件,该触发事件用于表示在该接口处接入设备存在被入侵的风险。并将该接口的工作模式设置为闭锁模式,该闭锁模式用于阻止任何终端通过该接口接入该接入设备所在的网络。A third aspect provides an access device, where the access device includes an interface, where the terminal is used to access the network where the access device is located, and the access device further includes a processor and a memory. Wherein: the memory is used to store program code; the processor is configured to read program code in the memory, and execute: determining to satisfy a trigger event, wherein the trigger event is used to indicate that the access device is invaded at the interface. The working mode of the interface is set to a blocking mode, which is used to prevent any terminal from accessing the network where the access device is located through the interface.
结合第三方面,在第三方面的第一种可能的实现方式中,接入设备具有接口状态监控功能,当确定所述接入设备已开启所述接口状态监控功能时,所述触发事件包括:所述接口的状态从UP变为DOWN,或者,所述接口的工作模式为运行模式、且所述接口处于DOWN的时长超过预设阈值,或者,所述接入设备重启;在所述接入设备开启所述接口状态监控功能时,所述触发事件包括:所述接口的状态为DOWN。With reference to the third aspect, in a first possible implementation manner of the third aspect, the access device has an interface state monitoring function, and when the determining that the access device has enabled the interface state monitoring function, the triggering event includes: The state of the interface is changed from UP to DOWN, or the working mode of the interface is in the running mode, and the duration of the interface is DOWN exceeds a preset threshold, or the access device is restarted; When the device is enabled to open the interface state monitoring function, the triggering event includes: the state of the interface is DOWN.
结合第三方面或者第三方面的第一种可能的实现方式,在第三方面的第二种可能的实现方式中,所述接入设备还包括发送电路,所述发送电路通过所述接入设备中的端口与网络管理系统进行通信,所述处理器还用于生成第一消息,所述第一消息用于指示所述接口的工作模式为闭锁模式;所述发送电路,用于将所述处理器生成的所述第一消息发送至所述网络管理系统。With the third aspect or the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, the access device further includes a sending circuit, where the sending circuit is configured by using the The port in the device is in communication with the network management system, the processor is further configured to generate a first message, where the first message is used to indicate that the working mode of the interface is a latching mode, and the sending circuit is configured to The first message generated by the processor is sent to the network management system.
结合第三方面的第二种可能的实现方式,在第三方面的第三种可能的实 现方式中,所述接入设备还包括接收电路,所述接收电路通过所述接入设备中的端口与所述网络管理系统进行通信,所述接收电路用于接收所述网络管理系统发送的第二消息,所述第二消息用于指示所述接入设备将所述接口的工作模式切换为运行模式;所述处理器,还用于根据所述接收电路接收的所述第二消息,将所述接口的工作模式切换为运行模式。In conjunction with the second possible implementation of the third aspect, the third possible implementation in the third aspect In an aspect, the access device further includes a receiving circuit, wherein the receiving circuit communicates with the network management system by using a port in the access device, where the receiving circuit is configured to receive the sending by the network management system a second message, the second message is used to indicate that the access device switches the working mode of the interface to an operating mode, and the processor is further configured to: according to the second message received by the receiving circuit, Switch the operating mode of the interface to the operating mode.
结合第三方面或者上述第三方面的任一种可能的实现方式,在第三方面的第四种可能的实现方式中,所述接收电路,还用于接收所述网络管理系统发送的第三消息,所述第三消息用于指示所述接口需要被调试;所述处理器,还用于根据所述接收电路接收的所述第三消息,将所述接口的工作模式切换为调试模式。With reference to the third aspect, or any one of the foregoing possible implementation manners of the third aspect, the receiving circuit is further configured to receive the third sent by the network management system, in a fourth possible implementation manner of the third aspect, a message, the third message is used to indicate that the interface needs to be debugged, and the processor is further configured to switch the working mode of the interface to a debugging mode according to the third message received by the receiving circuit.
本发明实施例中的接入设备包括至少一个接口,对于其中的任意一个接口而言,当接入设备确定在接口处存在该接入设备被入侵的风险时,将该接口的工作模式设置为闭锁模式,能够阻止任何终端通过该接口接入到该接入设备所在的网络,从而改善了该接入设备所在的网络的安全性。进一步,接入设备对所述至少一个接口中的每个接口都执行上述处理,以阻止任何终端与该接入设备或者与该接入设备的上级网络设备进行通信,能够有效地防止黑客的接入,保护网络的安全。The access device in the embodiment of the present invention includes at least one interface. For any one of the interfaces, when the access device determines that the access device is invaded at the interface, the working mode of the interface is set to The blocking mode can prevent any terminal from accessing the network where the access device is located through the interface, thereby improving the security of the network where the access device is located. Further, the access device performs the foregoing processing on each of the at least one interface to prevent any terminal from communicating with the access device or a superior network device of the access device, which can effectively prevent hacker connection. Into, protect the security of the network.
附图说明DRAWINGS
为了更清楚地说明本发明实施例的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work.
图1是本发明实施例的一个场景的示意图。1 is a schematic diagram of a scenario of an embodiment of the present invention.
图2是本发明一个实施例的防范入侵的方法的流程图。2 is a flow chart of a method for preventing intrusion according to an embodiment of the present invention.
图3是本发明一个实施例的接口的工作模式之间进行切换的示意图。3 is a schematic diagram of switching between modes of operation of an interface in accordance with an embodiment of the present invention.
图4是本发明一个实施例的防范入侵的方法的示意性流程图。FIG. 4 is a schematic flowchart of a method for preventing intrusion according to an embodiment of the present invention.
图5是本发明一个实施例的接入设备的框图。Figure 5 is a block diagram of an access device in accordance with one embodiment of the present invention.
图6是本发明另一个实施例的接入设备的框图。 6 is a block diagram of an access device in accordance with another embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例中,接入设备可以是电力专用的通信设备,例如ONU或者集中器。接入设备也可以是其他的通信设备,例如交换机或路由器或用户驻地设备(Customer Premises Equipment,CPE)。接入设备也可以是其他的与终端连接的接入设备,本发明对此不作限定。与该接入设备相连的终端可以是用户终端,或者也可以是集线器(Hub),或者也可以是其他类型的终端,本发明对此不作限定。In the embodiment of the present invention, the access device may be a power-dedicated communication device, such as an ONU or a concentrator. The access device can also be other communication devices, such as a switch or router or Customer Premises Equipment (CPE). The access device may also be another access device connected to the terminal, which is not limited by the present invention. The terminal connected to the access device may be a user terminal, or may be a hub, or may be another type of terminal, which is not limited by the present invention.
图1是本发明实施例的一个场景的示意图。图1所示的场景图中包括接入设备100,该接入设备100具有多个接口,图1中示出的该接入设备100具有6个接口,分别如图1的101—106。同时,图1中还示出了通过接口106与该接入设备进行通信的第一终端110。1 is a schematic diagram of a scenario of an embodiment of the present invention. The scenario shown in FIG. 1 includes an access device 100 having multiple interfaces. The access device 100 shown in FIG. 1 has six interfaces, respectively, as shown in FIG. Also shown in FIG. 1 is a first terminal 110 that communicates with the access device via interface 106.
应注意,本发明实施例对接入设备的接口的数量不作限定,图1中的接入设备具有6个接口仅是示意性的。It should be noted that the number of interfaces of the access device is not limited in the embodiment of the present invention. The access device in FIG. 1 has six interfaces, which are only schematic.
应注意,本发明实施例中的接入设备还具有中央处理器,用于与网络管理系统连接的端口,以及其他的部件等,图1中未示出。本发明对此不作限定。It should be noted that the access device in the embodiment of the present invention further has a central processing unit, a port for connecting to the network management system, and other components and the like, which are not shown in FIG. The invention is not limited thereto.
图2是本发明一个实施例的防范入侵的方法的流程图。图2所示的方法由接入设备执行,该接入设备包括接口,该接口用于终端通过该接口接入该接入设备所在的网络。图2的方法包括:2 is a flow chart of a method for preventing intrusion according to an embodiment of the present invention. The method shown in Figure 2 is performed by an access device, where the access device includes an interface, and the interface is used by the terminal to access the network where the access device is located. The method of Figure 2 includes:
201,确定满足触发事件,该触发事件用于表示在该接口处该接入设备存在被入侵的风险。201. Determine to satisfy a trigger event, where the trigger event is used to indicate that the access device is at risk of being invaded at the interface.
202,将该接口的工作模式设置为闭锁模式,该闭锁模式用于阻止任何终端通过该接口接入该接入设备所在的网络。202. Set the working mode of the interface to a blocking mode, where the blocking mode is used to prevent any terminal from accessing the network where the access device is located through the interface.
本发明实施例中的接入设备包括至少一个接口,对于其中的任意一个接口而言,当接入设备确定在接口处存在该接入设备被入侵的风险时,将该接口的工作模式设置为闭锁模式,能够阻止任何终端通过该接口接入到该接入 设备所在的网络,从而改善了该接入设备所在的网络的安全性。进一步,接入设备对所述至少一个接口中的每个接口都执行上述处理,以阻止任何终端与该接入设备或者与该接入设备的上级网络设备进行通信,能够有效地防止黑客的接入,保护网络的安全。The access device in the embodiment of the present invention includes at least one interface. For any one of the interfaces, when the access device determines that the access device is invaded at the interface, the working mode of the interface is set to Blocking mode, which can prevent any terminal from accessing the access through the interface The network where the device is located improves the security of the network where the access device is located. Further, the access device performs the foregoing processing on each of the at least one interface to prevent any terminal from communicating with the access device or a superior network device of the access device, which can effectively prevent hacker connection. Into, protect the security of the network.
本发明实施例中,接入设备包括接口,接口的状态为UP或者DOWN。In the embodiment of the present invention, the access device includes an interface, and the state of the interface is UP or DOWN.
接口的状态为UP,可理解为有第一终端通过该接口与该接入设备进行连接(link),并进行通信。接口的状态为DOWN,可理解为该接口处于空闲,没有任何终端通过该接口与该接入设备进行连接。The status of the interface is UP. It can be understood that the first terminal connects to the access device through the interface and performs communication. The status of the interface is DOWN. It can be understood that the interface is idle. No terminal connects to the access device through the interface.
应注意,本发明实施例中所说的通信,可以是与该接入设备进行通信,也可以是与该接入设备所在的网络中的其他的设备进行通信,本发明对此不作限定。It should be noted that the communication in the embodiment of the present invention may be performed by communicating with the access device, or may be in communication with other devices in the network where the access device is located, which is not limited by the present invention.
接口的状态从UP变为DOWN,可以理解为在该接口上第一终端与该接入设备之间的关系由连接状态变为断开状态。接口的状态从DOWN变为UP,可以理解为该接口开始处于空闲状态,随后有第一终端通过该接口与该接入设备进行了连接,并进行了通信。The status of the interface changes from UP to DOWN. It can be understood that the relationship between the first terminal and the access device changes from the connected state to the disconnected state on the interface. The state of the interface changes from DOWN to UP. It can be understood that the interface starts to be idle, and then the first terminal connects to the access device through the interface and performs communication.
本发明实施例中,接口的工作模式为调试模式,或者运行模式,或者闭锁模式。如图3所示。In the embodiment of the present invention, the working mode of the interface is a debugging mode, or an operating mode, or a blocking mode. As shown in Figure 3.
在接口的工作模式为运行模式时,该接口的状态可能是UP,也可能是DOWN。具体地,当接口的工作模式为运行模式且该接口的状态为DOWN时,也可以称该接口是可UP的。接口可UP,可以理解为该接口当前的状态为DOWN,并且当第二终端尝试通过该接口与该接入设备连接时,该第二终端可接入该接入设备所在的网络并进行通信。其中,该第二终端可以是第一终端,也可以是与第一终端不同的其他的任一终端。When the working mode of an interface is running mode, the status of the interface may be UP or DOWN. Specifically, when the working mode of the interface is the running mode and the state of the interface is DOWN, the interface may also be called UP. The interface can be up, and the current state of the interface is DOWN. When the second terminal attempts to connect to the access device through the interface, the second terminal can access the network where the access device is located and communicate. The second terminal may be the first terminal, or may be any other terminal different from the first terminal.
在接口的工作模式为闭锁模式且该接口的状态为DOWN时,也可以称该接口不可UP的。接口不可UP,可以理解为该接口当前的状态为DOWN,并且当任意终端尝试通过该接口与该接入设备连接时,该接入设备不允许该任意终端通过该接口进行通信。When the working mode of the interface is in blocking mode and the state of the interface is DOWN, the interface can also be said to be unreturnable. The interface cannot be up. It can be understood that the current state of the interface is DOWN. When any terminal attempts to connect to the access device through the interface, the access device does not allow any terminal to communicate through the interface.
也可以理解为,当接口的工作模式为闭锁模式时,即使一个终端通过该接口在形式上与该接入设备进行连接,也不可以进行通信。It can also be understood that when the working mode of the interface is the blocking mode, even if a terminal is formally connected to the access device through the interface, communication cannot be performed.
本发明实施例中,接入设备可具有接口状态监控功能,接入设备开启接 口状态监控功能能够用于监控该接入设备的每一个接口的状态变化。In the embodiment of the present invention, the access device may have an interface state monitoring function, and the access device is connected. The port status monitoring function can be used to monitor the status change of each interface of the access device.
接入设备可能处于部署阶段或者处于运行阶段。当接入设备处于部署阶段时,该接入设备的接口状态监控功能关闭,这样可以便于该接入设备的现网部署和调试。当接入设备处于运行阶段时,该接入设备的接口状态监控功能开启。接入设备从运行阶段切换至部署阶段时,可以同时将该接入设备的接口状态监控功能关闭。接入设备从部署阶段切换至运行阶段时,可以同时将该接入设备的接口状态监控功能开启。The access device may be in the deployment phase or in the operational phase. When the access device is in the deployment phase, the interface status monitoring function of the access device is disabled. This facilitates the deployment and debugging of the access device. When the access device is in the running phase, the interface state monitoring function of the access device is enabled. When the access device is switched from the running phase to the deployment phase, the interface state monitoring function of the access device can be disabled at the same time. When the access device is switched from the deployment phase to the running phase, the interface state monitoring function of the access device can be enabled at the same time.
具体地,当接入设备处于部署阶段时,接入设备的接口状态监控功能关闭,并且该接入设备的所有的接口的工作模式均为调试模式。具体地,当接入设备处于运行阶段时,接入设备的接口状态监控功能开启,并且该接入设备的接口的工作模式为运行模式或者闭锁模式。如图3所示,在点画线的左侧,表示接入设备处于部署阶段,接口的工作模式为调试模式。在点画线的右侧,表示接入设备处于运行阶段,接口的工作模式为运行模式或闭锁模式。这种关系可见表1所示。Specifically, when the access device is in the deployment phase, the interface state monitoring function of the access device is turned off, and the working modes of all the interfaces of the access device are in the debugging mode. Specifically, when the access device is in the running phase, the interface state monitoring function of the access device is enabled, and the working mode of the interface of the access device is the running mode or the blocking mode. As shown in Figure 3, on the left side of the dotted line, the access device is in the deployment phase, and the working mode of the interface is the debug mode. On the right side of the dotted line, it indicates that the access device is in the running phase, and the working mode of the interface is the running mode or the blocking mode. This relationship can be seen in Table 1.
表1Table 1
Figure PCTCN2015070371-appb-000001
Figure PCTCN2015070371-appb-000001
可选地,作为一个实施例,当确定接入设备已开启接口状态监控功能时,201中的触发事件可以为:接口的状态从UP变为DOWN,或者,接口的工作模式为运行模式、且该接口处于DOWN的时长超过预设阈值,或者,该接入设备重启。Optionally, as an embodiment, when determining that the access device has enabled the interface state monitoring function, the triggering event in 201 may be: the state of the interface changes from UP to DOWN, or the working mode of the interface is the running mode, and The time when the interface is Down is longer than the preset threshold, or the access device is restarted.
其中,触发事件为:接口的状态从UP变为DOWN,可以理解为在该接口的工作模式为运行模式时,该接口的状态从UP变为DOWN。The trigger event is: the state of the interface changes from UP to DOWN. It can be understood that the state of the interface changes from UP to DOWN when the working mode of the interface is the running mode.
其中,触发事件为:该接入设备重启,可以理解为接口为该接入设备的任一接口。 The triggering event is: the access device is restarted, and the interface can be understood as any interface of the access device.
其中,本发明实施例对预设阈值的大小不作限定。例如,该预设阈值可以是10分钟,或者也可以是1小时,或者也可以是其他的大小,本发明对此不限定。The embodiment of the present invention does not limit the size of the preset threshold. For example, the preset threshold may be 10 minutes, or may be 1 hour, or may be other sizes, which is not limited by the present invention.
可以理解为,201和202是在该接入设备处于运行阶段所执行的。或者,可以理解为,201和202是在该接入设备已开启接口状态监控功能时所执行的。此时,202中,接入设备根据触发事件将接口的工作模式从运行模式设置为闭锁模式。如图3中的301所示。It can be understood that 201 and 202 are performed while the access device is in the running phase. Alternatively, it can be understood that 201 and 202 are performed when the access device has enabled the interface state monitoring function. At this time, in 202, the access device sets the working mode of the interface from the running mode to the blocking mode according to the triggering event. As shown in 301 in FIG.
可选地,作为另一个实施例,在接入设备开启接口状态监控功能时,201中的触发事件也可以为:该接入设备的接口的状态为DOWN。Optionally, in another embodiment, when the access device starts the interface state monitoring function, the triggering event in 201 may also be: the state of the interface of the access device is DOWN.
也可以理解为,该触发事件为:在接入设备从部署阶段切换到运行阶段时,接口的状态为DOWN。It can also be understood that the trigger event is: when the access device switches from the deployment phase to the running phase, the state of the interface is DOWN.
可以理解为,201和202是在该接入设备开启接口状态监控功能的时候所执行,换句话说,201和202是在该接入设备从部署阶段切换到运行阶段的时候所执行的。此时,202中接入设备将接口的工作模式从调试模式切换至闭锁模式。如图3中的302所示。It can be understood that 201 and 202 are executed when the access device starts the interface state monitoring function. In other words, 201 and 202 are executed when the access device switches from the deployment phase to the running phase. At this time, the access device in 202 switches the working mode of the interface from the debug mode to the lock mode. As shown by 302 in FIG.
可选地,作为一个实施例,该接入设备在202将接口的工作模式设置为闭锁模式之后,还可生成第一消息,或者,接入设备也可在202将接口的工作模式设置为闭锁模式的同时生成第一消息,或者,接入设备也可在202之前生成第一消息。本发明对此不作限定。该第一消息用于指示该接入设备的接口的工作模式为闭锁模式。Optionally, as an embodiment, after the access device sets the working mode of the interface to the blocking mode, the access device may also generate a first message, or the access device may also set the working mode of the interface to be blocked at 202. The first message is generated simultaneously with the mode, or the access device may also generate the first message before 202. The invention is not limited thereto. The first message is used to indicate that the working mode of the interface of the access device is a locked mode.
进一步接入设备可将该第一消息发送至网络管理系统(Network Management System)。The further access device can send the first message to a Network Management System.
本发明实施例中,网络管理系统可以是安装有网络管理软件的服务器,也可以是安装有网络管理软件的个人计算机(Personal Computer,PC),也可以是其他具有网络管理功能的设备,本发明对此不作限定。In the embodiment of the present invention, the network management system may be a server installed with network management software, a personal computer (PC) installed with network management software, or other devices having network management functions, and the present invention This is not limited.
这样,网络管理系统可以获知该接入设备的接口的工作模式的变化,以使得网络管理系统根据第一消息作进一步的处理。In this way, the network management system can learn the change of the working mode of the interface of the access device, so that the network management system performs further processing according to the first message.
可选地,网络管理系统在收到第一消息之后,可将该第一消息所指示的信息呈现给用户。例如,可以在安装有网络管理软件的服务器或PC的显示界面上呈现该接口的接口号。 Optionally, after receiving the first message, the network management system may present the information indicated by the first message to the user. For example, the interface number of the interface can be presented on the display interface of the server or PC on which the network management software is installed.
而用户可以根据该呈现的信息去检查接口。如果用户确认该接口遭到了非法入侵,则用户不作进一步的解锁操作,仍然保持该接口的工作模式为闭锁模式。如果用户确认该接口会长时间处于DOWN的状态并且在一段时间内也不需要有任何终端通过该接口正常接入该接入设备,则用户也可不作进一步的解锁操作,仍然保持该接口的工作模式为闭锁模式。这里所说的正常接入该接入设备的终端可以是指该用户可以识别并许可接入该接入设备的终端。The user can check the interface based on the presented information. If the user confirms that the interface has been illegally hacked, the user does not perform further unlocking operations, and still maintains the working mode of the interface as the blocking mode. If the user confirms that the interface is in the DOWN state for a long time and does not need any terminal to access the access device through the interface for a period of time, the user may not perform further unlocking operations and still maintain the working of the interface. The mode is the lockout mode. The terminal that normally accesses the access device herein may refer to a terminal that the user can identify and permit to access the access device.
如果用户经过排查,确定该接口处没有被非法入侵,则用户可执行解锁操作。If the user is checked to make sure that the interface is not illegally hacked, the user can perform an unlock operation.
具体地,用户可以通过网络管理系统将该接口的工作模式切换为运行模式。Specifically, the user can switch the working mode of the interface to the running mode through the network management system.
例如,用户可进行第一输入,网络管理系统根据第一输入生成第二消息,并将该第二消息发送至该接入设备。进一步地,该接入设备接收网络管理系统发送的第二消息,该第二消息用于指示该接入设备将接口的工作模式切换为运行模式,并根据该第二消息将该接入设备的接口的工作模式切换为运行模式。如图3中的303所示。For example, the user can make a first input, and the network management system generates a second message according to the first input, and sends the second message to the access device. Further, the access device receives the second message sent by the network management system, where the second message is used to instruct the access device to switch the working mode of the interface to the operating mode, and according to the second message, the access device The working mode of the interface is switched to the operating mode. As shown at 303 in FIG.
这样,用户在排查接口没有被非法接入时,可通过第二消息及时地使接入设备将接口的工作模式切换为运行模式,能够保证通过该接口连接该接入设备的终端与该接入设备之间的正常通信。In this way, the user can switch the working mode of the interface to the running mode by using the second message in time to ensure that the terminal is connected to the access device and the access device through the interface. Normal communication between devices.
或者,具体地,用户可以通过网络管理系统将该接口的工作模式切换为调试模式。Or, specifically, the user can switch the working mode of the interface to the debugging mode through the network management system.
例如,在用户确定该接入设备的接口需要进行调试时,用户可进行第二输入,网络管理系统根据第二输入生成第三消息,并将该第三消息发送至该接入设备。进一步地,该接入设备接收网络管理系统发送的第三消息,并根据该第三消息将该接口的工作模式切换为调试模式。其中,第三消息用于指示该接入设备的接口需要被调试。For example, when the user determines that the interface of the access device needs to be debugged, the user may perform a second input, and the network management system generates a third message according to the second input, and sends the third message to the access device. Further, the access device receives the third message sent by the network management system, and switches the working mode of the interface to the debugging mode according to the third message. The third message is used to indicate that the interface of the access device needs to be debugged.
应注意,接入设备在将接口的工作模式切换为调试模式的同时,可将接入设备的接口状态监控功能关闭。It should be noted that the access device can disable the interface state monitoring function of the access device while switching the working mode of the interface to the debugging mode.
应理解,结合表1,接入设备在将接口的工作模式切换为调试模式的同时,将接入设备从运行阶段切换至部署阶段,并且将接入设备的接口状态监控功 能关闭。也就是说,同时将该接入设备的所有接口的工作模式均切换为调试模式。如图3中的304所示。It should be understood that, in conjunction with Table 1, the access device switches the access device from the running phase to the deployment phase while switching the working mode of the interface to the debugging mode, and monitors the interface state of the access device. Can close. That is to say, the working mode of all interfaces of the access device is switched to the debugging mode at the same time. As shown at 304 in FIG.
这样,便可实现将接口的工作模式从运行模式或闭锁模式切换为调试模式。In this way, you can switch the operating mode of the interface from the operating mode or the blocking mode to the debugging mode.
进一步地,在对该接入设备的接口的调试完成之后,该接入设备可开启该接入设备的接口状态监控功能,并将该接口的工作模式从调试模式切换为运行模式或闭锁模式。Further, after the debugging of the interface of the access device is completed, the access device may open an interface state monitoring function of the access device, and switch the working mode of the interface from the debugging mode to the running mode or the blocking mode.
具体地,在对该接入设备的接口的调试完成之后,用户可进行第三输入,网络管理系统根据第三输入生成第四消息,并将该第四消息发送至该接入设备。进一步地,该接入设备接收网络管理系统发送的第四消息,根据该第四消息开启该接入设备的接口状态监控功能,并将该接口的工作模式切换为运行模式或闭锁模式。Specifically, after the debugging of the interface of the access device is completed, the user may perform a third input, and the network management system generates a fourth message according to the third input, and sends the fourth message to the access device. Further, the access device receives the fourth message sent by the network management system, starts the interface state monitoring function of the access device according to the fourth message, and switches the working mode of the interface to the operating mode or the blocking mode.
应理解,接入设备在开启接口状态监控功能时,也同时将接入设备从部署阶段切换至运行阶段。It should be understood that when the interface device monitor function is enabled, the access device also switches the access device from the deployment phase to the operation phase.
具体地,若该接入设备在调试之后开启该接入设备的接口状态监控功能时,确定接口满足触发事件为该接口的状态为DOWN,那么该接入设备在调试之后开启该接入设备的接口状态监控功能时,将该接口的工作模式切换为闭锁模式。如图3中的302所示。Specifically, if the access device starts the interface state monitoring function of the access device after the debugging, and determines that the interface meets the triggering event, the state of the interface is DOWN, then the access device starts the access device after debugging. When the interface status monitoring function is enabled, the working mode of the interface is switched to the blocking mode. As shown by 302 in FIG.
具体地,若该接入设备在调试之后开启该接入设备的接口状态监控功能时,接口的状态为UP,即在接口处有用户可以识别并许可接入该接入设备的终端接入,那么该接入设备在调试之后开启该接入设备的接口状态监控功能时,将该接口的工作模式切换为运行模式。如图3中的305所示。Specifically, if the access device starts the interface state monitoring function of the access device after the debugging, the state of the interface is UP, that is, at the interface, the terminal that the user can identify and permit access to the access device is accessed. Then, when the access device starts the interface state monitoring function of the access device after debugging, the working mode of the interface is switched to the operating mode. As shown at 305 in FIG.
这样,便可实现将接口的工作模式从调试模式切换为运行模式或闭锁模式。This allows you to switch the operating mode of the interface from debug mode to run mode or latched mode.
这样,本发明实施例能够实现该接入设备的接口的工作模式在运行模式、调试模式、闭锁模式之间的切换。In this way, the embodiment of the present invention can implement the switching between the working mode, the debugging mode, and the blocking mode of the interface of the access device.
图4是本发明一个实施例的防范入侵的方法的示意性流程图。假设接入设备处于运行阶段,即假设该接入设备已开启接口状态监控功能。图4所示的方法包括:FIG. 4 is a schematic flowchart of a method for preventing intrusion according to an embodiment of the present invention. It is assumed that the access device is in the running phase, that is, the interface device monitoring function is enabled on the access device. The method shown in Figure 4 includes:
401,接入设备确定接口的状态从UP变为DOWN。 401. The access device determines that the state of the interface changes from UP to DOWN.
可以理解为通过该接口与该接入设备进行通信的某个终端与该接入设备的连接断开。或者可以理解为该接口的工作模式为运行模式时,该接口的状态从UP变为DOWN。其中,该接口可以为该接入设备的任意一个接口。It can be understood that the connection of a certain terminal that communicates with the access device through the interface is disconnected from the access device. Or it can be understood that when the working mode of the interface is the running mode, the state of the interface changes from UP to DOWN. The interface can be any interface of the access device.
例如,参见图1,当第一终端110与接入设备100的连接在接口106处断开时,接入设备100检测到接口106的状态从UP变为DOWN。For example, referring to FIG. 1, when the connection of the first terminal 110 to the access device 100 is disconnected at the interface 106, the access device 100 detects that the state of the interface 106 changes from UP to DOWN.
402,该接入设备将该接口的工作模式设置为闭锁模式。并执行403。402. The access device sets the working mode of the interface to a blocking mode. And execute 403.
例如,参见图1,接入设备100将接口106的工作模式从运行模式切换为闭锁模式。For example, referring to FIG. 1, access device 100 switches the mode of operation of interface 106 from an operational mode to a locked mode.
如果401中,接口的状态从UP变为DOWN是由于黑客想通过该接口连接该接入设备的话,这样,便实现了防止非法入侵。If the state of the interface changes from UP to DOWN in 401, it is because the hacker wants to connect the access device through the interface, thus preventing illegal intrusion.
403,该接入设备生成第一消息。并执行404。403. The access device generates a first message. And execute 404.
具体地,该第一消息用于指示该接口的工作模式为闭锁模式。Specifically, the first message is used to indicate that the working mode of the interface is a blocking mode.
404,该接入设备将403所生成的第一消息发送至网络管理系统。404. The access device sends the first message generated by 403 to the network management system.
405,接入设备接收网络管理系统发送的第二消息,该第二消息用于指示该接入设备将该接口的工作模式切换为运行模式。并执行406。405. The access device receives a second message sent by the network management system, where the second message is used to indicate that the access device switches the working mode of the interface to an operating mode. And execute 406.
406,接入设备将该接口的工作模式切换为运行模式。406. The access device switches the working mode of the interface to an operating mode.
这样,在网络管理系统排除非法入侵的可能性时,将接口的工作模式从闭锁模式切换为运行模式,能够保证该接口的正常使用。In this way, when the network management system eliminates the possibility of illegal intrusion, the working mode of the interface is switched from the blocking mode to the running mode, which can ensure the normal use of the interface.
409,防止非法入侵。409, to prevent illegal intrusion.
在406之后,还可执行410。After 406, 410 can also be performed.
410,判断接口处于可UP状态的时长超过预设阈值。若是,执行402。410: Determine that the duration that the interface is in the UP state exceeds a preset threshold. If yes, execute 402.
应注意,图4仅仅是本发明的一个实施例。本领域技术人员在该实施例基础上未经创造性劳动所能得到的其他的实施例,均在本发明保护范围之内。It should be noted that Figure 4 is only one embodiment of the present invention. Other embodiments that can be obtained by those skilled in the art without the inventive work on the basis of this embodiment are within the scope of the present invention.
这样,接入设备在检测到在接口处存在被入侵的风险时,将接口的工作模式设置为闭锁模式,能够防止通过该接口对该接入设备的非法入侵,从而有效地保护网络的安全。In this way, when the access device detects that there is a risk of being invaded at the interface, the working mode of the interface is set to the blocking mode, which can prevent unauthorized access to the access device through the interface, thereby effectively protecting the security of the network.
对于图1所示的接入设备100,假设该接入设备100初始处于部署阶段,此时该接入设备100的接口状态监控功能关闭,并且此时该接入设备100的接口101至接口106的工作模式均为调试模式。随后在第一时刻,该接入设备100从部署阶段切换到运行阶段,并同时开启接入设备100的接口状态监 控功能时,确定接口101至接口105的状态为DOWN,便将接口101至接口105的工作模式均切换至闭锁模式。此时接口106的状态为UP,便将接口106的工作模式切换至运行模式,这样,第一终端110可通过接口106与该接入设备100进行通信,也可以进一步通过接口106与该接入设备100的上层网络设备进行通信。For the access device 100 shown in FIG. 1 , it is assumed that the access device 100 is initially in the deployment phase, at which time the interface state monitoring function of the access device 100 is closed, and at this time, the interface 101 to the interface 106 of the access device 100 The working mode is debug mode. Then, at the first moment, the access device 100 switches from the deployment phase to the operation phase, and simultaneously starts the interface state monitoring of the access device 100. When the function is controlled, it is determined that the state of the interface 101 to the interface 105 is DOWN, and the working modes of the interface 101 to the interface 105 are all switched to the blocking mode. At this time, the state of the interface 106 is UP, and the working mode of the interface 106 is switched to the operating mode. Thus, the first terminal 110 can communicate with the access device 100 through the interface 106, and can further access the interface 106. The upper network device of device 100 communicates.
在第二时刻,当接入设备100重启时,该接入设备100会将接口101—接口106的工作模式全部都设置为闭锁模式。具体地,在第二时刻,接入设备100保持接口101至接口105的工作模式为闭锁模式,将接口106的工作模式从运行模式切换至闭锁模式。进一步地,在网络管理系统的指令下,接入设备100可将接口106的工作模式切换为运行模式,以便通过接口106与接入设备100进行连接的第一终端110能够与接入设备100进行正常的通信。At the second moment, when the access device 100 is restarted, the access device 100 sets all the working modes of the interface 101-interface 106 to the blocking mode. Specifically, at the second moment, the access device 100 maintains the operating mode of the interface 101 to the interface 105 as a blocking mode, and switches the operating mode of the interface 106 from the operating mode to the blocking mode. Further, under the instruction of the network management system, the access device 100 can switch the working mode of the interface 106 to the operating mode, so that the first terminal 110 connected to the access device 100 through the interface 106 can perform with the access device 100. Normal communication.
在第三时刻,接入设备100也可在网络管理系统的指令下,将接口101至接口105中的一个或多个接口的工作模式切换为运行模式。例如,网络管理系统可指示接入设备100将接口103的工作模式切换为运行模式,以便经许可的第二终端正常接入该接入设备。但是,如果接入设备100将接口103的工作模式切换为运行模式之后,经过预设阈值的时长,接口103的状态仍然为DOWN,接入设备100可将接口103的工作模式重新切换为闭锁模式。也可以理解为接入设备100将接口103的状态由可UP的切换为不可UP的。At the third moment, the access device 100 can also switch the operating mode of one or more of the interfaces 101 to 105 to the operating mode under the direction of the network management system. For example, the network management system can instruct the access device 100 to switch the operating mode of the interface 103 to the operating mode so that the licensed second terminal normally accesses the access device. However, if the access device 100 switches the working mode of the interface 103 to the operating mode, the state of the interface 103 is still DOWN after the preset threshold is exceeded, and the access device 100 can switch the working mode of the interface 103 to the blocking mode. . It can also be understood that the access device 100 switches the state of the interface 103 from UP to non-UP.
如果在第四时刻,接入设备100发现第一终端110通过接口106与接入设备100的连接断开,即接口106的状态由UP变为DOWN,此时接入设备100将接口106的工作模式切换为闭锁模式。If, at the fourth moment, the access device 100 finds that the first terminal 110 is disconnected from the access device 100 through the interface 106, that is, the state of the interface 106 changes from UP to DOWN, the access device 100 operates the interface 106 at this time. The mode is switched to the lockout mode.
本发明实施例中的接入设备包括至少一个接口,当接入设备确定在至少一个接口中的接口处存在该接入设备被入侵的风险时,将该接口的工作模式设置为闭锁模式,能够阻止任何终端通过该接口接入到该接入设备,进一步阻止任何终端与该接入设备或者与该接入设备的上级网络设备进行通信,能够有效地在物理层面防止黑客的入侵。并且,本发明实施例的方法在产品侧实现,而无需增加额外的设备,能够有效地节约成本。The access device in the embodiment of the present invention includes at least one interface, and when the access device determines that the access device is in the intrusion risk at the interface in the at least one interface, setting the working mode of the interface to the blocking mode, Blocking any terminal from accessing the access device through the interface further prevents any terminal from communicating with the access device or with the upper-level network device of the access device, thereby effectively preventing hackers from invading at the physical level. Moreover, the method of the embodiment of the present invention is implemented on the product side without additional equipment, and can effectively save costs.
图5是本发明一个实施例的接入设备的框图。图5所示的接入设备500包括接口,该接口用于终端通过该接口接入该接入设备500所在的网络,其中接入设备500包括确定单元501和设置单元502。 Figure 5 is a block diagram of an access device in accordance with one embodiment of the present invention. The access device 500 shown in FIG. 5 includes an interface for the terminal to access the network where the access device 500 is located. The access device 500 includes a determining unit 501 and a setting unit 502.
确定单元501用于确定满足触发事件,该触发事件用于表示在该接口处接入设备500存在被入侵的风险。设置单元502用于若确定单元501确定满足触发事件,将该接口的工作模式设置为闭锁模式,该闭锁模式用于阻止任何终端通过该接口接入该接入设备500所在的网络。The determining unit 501 is configured to determine that a triggering event is used, and the triggering event is used to indicate that the access device 500 is at risk of being invaded at the interface. The setting unit 502 is configured to, if the determining unit 501 determines that the trigger event is satisfied, set the working mode of the interface to a blocking mode, where the blocking mode is used to prevent any terminal from accessing the network where the access device 500 is located through the interface.
本发明实施例中的接入设备包括至少一个接口,对于其中的任意一个接口而言,当接入设备确定在接口处存在该接入设备被入侵的风险时,将该接口的工作模式设置为闭锁模式,能够阻止任何终端通过该接口接入到该接入设备所在的网络,从而改善了该接入设备所在的网络的安全性。进一步,接入设备对所述至少一个接口中的每个接口都执行上述处理,以阻止任何终端与该接入设备或者与该接入设备的上级网络设备进行通信,能够有效地防止黑客的接入,保护网络的安全。The access device in the embodiment of the present invention includes at least one interface. For any one of the interfaces, when the access device determines that the access device is invaded at the interface, the working mode of the interface is set to The blocking mode can prevent any terminal from accessing the network where the access device is located through the interface, thereby improving the security of the network where the access device is located. Further, the access device performs the foregoing processing on each of the at least one interface to prevent any terminal from communicating with the access device or a superior network device of the access device, which can effectively prevent hacker connection. Into, protect the security of the network.
可选地,作为一个实施例,接入设备500具有接口状态监控功能。Optionally, as an embodiment, the access device 500 has an interface status monitoring function.
当确定接入设备500已开启所述接口状态监控功能时,触发事件包括:所述接口的状态从UP变为DOWN,或者,所述接口的工作模式为运行模式、且所述接口处于DOWN的时长超过预设阈值,或者,所述接入设备500重启。When it is determined that the access device 500 has enabled the interface state monitoring function, the triggering event includes: changing the state of the interface from UP to DOWN, or the working mode of the interface is an operating mode, and the interface is in the DOWN state. The duration exceeds a preset threshold, or the access device 500 restarts.
在接入设备500开启所述接口状态监控功能时,触发事件包括:所述接口的状态为DOWN。When the access device 500 starts the interface state monitoring function, the triggering event includes: the state of the interface is DOWN.
可选地,作为另一个实施例,接入设备500还包括生成单元503和发送单元504。生成单元503用于生成第一消息,所述第一消息用于指示所述接口的工作模式为闭锁模式。发送单元504用于将生成单元503生成的所述第一消息发送至网络管理系统。Optionally, as another embodiment, the access device 500 further includes a generating unit 503 and a sending unit 504. The generating unit 503 is configured to generate a first message, where the first message is used to indicate that the working mode of the interface is a blocking mode. The sending unit 504 is configured to send the first message generated by the generating unit 503 to the network management system.
可选地,作为另一个实施例,接入设备500还包括接收单元505。接收单元505用于接收网络管理系统发送的第二消息,所述第二消息用于指示接入设备500将所述接口的工作模式切换为运行模式。设置单元502还用于根据接收单元505接收的所述第二消息,将所述接口的工作模式切换为运行模式。Optionally, as another embodiment, the access device 500 further includes a receiving unit 505. The receiving unit 505 is configured to receive a second message sent by the network management system, where the second message is used to instruct the access device 500 to switch the working mode of the interface to an operating mode. The setting unit 502 is further configured to switch the working mode of the interface to the operating mode according to the second message received by the receiving unit 505.
可选地,作为另一个实施例,接收单元505还用于接收所述网络管理系统发送的第三消息,所述第三消息用于指示所述接口需要被调试。设置单元502还用于根据接收单元505接收的所述第三消息,将所述接口的工作模式切换为调试模式。Optionally, in another embodiment, the receiving unit 505 is further configured to receive a third message sent by the network management system, where the third message is used to indicate that the interface needs to be debugged. The setting unit 502 is further configured to switch the working mode of the interface to the debugging mode according to the third message received by the receiving unit 505.
接入设备500能够实现图2和图4的实施例中由接入设备实现的各个过 程,为避免重复,这里不再赘述。The access device 500 can implement the various implementations implemented by the access device in the embodiments of Figures 2 and 4. To avoid repetition, I will not repeat them here.
图6是本发明另一个实施例的接入设备的框图。图6中的接入设备600包括接口,该接口用于终端通过该接口接入该接入设备600所在的网络,其中接入设备600包括处理器601、接收电路602、发送电路603和存储器604。其中,接收电路602和发送电路603通过接入设备600中的端口与网络管理系统进行通信。6 is a block diagram of an access device in accordance with another embodiment of the present invention. The access device 600 in FIG. 6 includes an interface for the terminal to access the network where the access device 600 is located. The access device 600 includes a processor 601, a receiving circuit 602, a sending circuit 603, and a memory 604. . The receiving circuit 602 and the transmitting circuit 603 communicate with the network management system through ports in the access device 600.
存储器604用于存储程序代码;The memory 604 is configured to store program code;
处理器601用于读取存储器604中的程序代码,执行:The processor 601 is configured to read the program code in the memory 604 and execute:
确定满足触发事件,该触发事件用于表示在该接口处接入设备600存在被入侵的风险。并将该接口的工作模式设置为闭锁模式,该闭锁模式用于阻止任何终端通过该接口接入该接入设备600所在的网络。It is determined that the trigger event is satisfied, and the trigger event is used to indicate that the access device 600 is at risk of being compromised at the interface. The working mode of the interface is set to a blocking mode, and the blocking mode is used to prevent any terminal from accessing the network where the access device 600 is located through the interface.
本发明实施例中的接入设备包括至少一个接口,对于其中的任意一个接口而言,当接入设备确定在接口处存在该接入设备被入侵的风险时,将该接口的工作模式设置为闭锁模式,能够阻止任何终端通过该接口接入到该接入设备所在的网络,从而改善了该接入设备所在的网络的安全性。进一步,接入设备对所述至少一个接口中的每个接口都执行上述处理,以阻止任何终端与该接入设备或者与该接入设备的上级网络设备进行通信,能够有效地防止黑客的接入,保护网络的安全。The access device in the embodiment of the present invention includes at least one interface. For any one of the interfaces, when the access device determines that the access device is invaded at the interface, the working mode of the interface is set to The blocking mode can prevent any terminal from accessing the network where the access device is located through the interface, thereby improving the security of the network where the access device is located. Further, the access device performs the foregoing processing on each of the at least one interface to prevent any terminal from communicating with the access device or a superior network device of the access device, which can effectively prevent hacker connection. Into, protect the security of the network.
接入设备600中的各个组件通过总线系统605耦合在一起,其中总线系统605除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图6中将各种总线都标为总线系统605。The various components in access device 600 are coupled together by a bus system 605, which in addition to the data bus includes a power bus, a control bus, and a status signal bus. However, for clarity of description, various buses are labeled as bus system 605 in FIG.
上述本发明实施例揭示的方法可以应用于处理器601中,或者由处理器601实现。处理器601可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器601中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器601可以是通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本发明实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结 合本发明实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器(Random Access Memory,RAM)、闪存、只读存储器(Read-Only Memory,ROM)、可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器604,处理器601读取存储器604中的信息,结合其硬件完成上述方法的步骤。The method disclosed in the foregoing embodiments of the present invention may be applied to the processor 601 or implemented by the processor 601. Processor 601 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 601 or an instruction in a form of software. The processor 601 may be a general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA), or the like. Programmable logic devices, discrete gates or transistor logic devices, discrete hardware components. The methods, steps, and logical block diagrams disclosed in the embodiments of the present invention may be implemented or carried out. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like. Knot The steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware decoding processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a random access memory (RAM), a flash memory, a read-only memory (ROM), a programmable read only memory or an electrically erasable programmable memory, a register, and the like. in. The storage medium is located in the memory 604, and the processor 601 reads the information in the memory 604 and completes the steps of the above method in combination with its hardware.
可选地,作为一个实施例,接入设备600具有接口状态监控功能。Optionally, as an embodiment, the access device 600 has an interface status monitoring function.
当确定接入设备600已开启所述接口状态监控功能时,触发事件包括:所述接口的状态从UP变为DOWN,或者,所述接口的工作模式为运行模式、且所述接口处于DOWN的时长超过预设阈值,或者,所述接入设备600重启。When it is determined that the access device 600 has enabled the interface state monitoring function, the triggering event includes: changing the state of the interface from UP to DOWN, or the working mode of the interface is an operating mode, and the interface is in the DOWN state. The duration exceeds a preset threshold, or the access device 600 restarts.
在接入设备600开启所述接口状态监控功能时,触发事件包括:所述接口的状态为DOWN。When the access device 600 starts the interface state monitoring function, the triggering event includes: the state of the interface is DOWN.
可选地,作为另一个实施例,处理器601还用于生成第一消息,所述第一消息用于指示所述接口的工作模式为闭锁模式。发送电路603用于将处理器601生成的所述第一消息发送至网络管理系统。Optionally, in another embodiment, the processor 601 is further configured to generate a first message, where the first message is used to indicate that the working mode of the interface is a blocking mode. The transmitting circuit 603 is configured to send the first message generated by the processor 601 to the network management system.
可选地,作为另一个实施例,接收电路602用于接收网络管理系统发送的第二消息,所述第二消息用于指示接入设备600将所述接口的工作模式切换为运行模式。处理器601还用于根据接收电路602接收的所述第二消息,将所述接口的工作模式切换为运行模式。Optionally, as another embodiment, the receiving circuit 602 is configured to receive a second message sent by the network management system, where the second message is used to instruct the access device 600 to switch the working mode of the interface to an operating mode. The processor 601 is further configured to switch the working mode of the interface to the operating mode according to the second message received by the receiving circuit 602.
可选地,作为另一个实施例,接收电路602还用于接收所述网络管理系统发送的第三消息,所述第三消息用于指示所述接口需要被调试。处理器601还用于根据接收电路602接收的所述第三消息,将所述接口的工作模式切换为调试模式。Optionally, as another embodiment, the receiving circuit 602 is further configured to receive a third message sent by the network management system, where the third message is used to indicate that the interface needs to be debugged. The processor 601 is further configured to switch the working mode of the interface to the debugging mode according to the third message received by the receiving circuit 602.
接入设备600能够实现图2和图4的实施例中由接入设备实现的各个过程,为避免重复,这里不再赘述。The access device 600 can implement various processes implemented by the access device in the embodiments of FIG. 2 and FIG. 4, and details are not described herein again to avoid repetition.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。 Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。The functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including The instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes various media that can store program codes, such as a USB flash drive, a mobile hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。 The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims (10)

  1. 一种防范入侵的方法,其特征在于,所述方法应用于接入设备,所述接入设备包括接口,所述接口用于终端通过所述接口接入所述接入设备所在的网络,所述方法包括:A method for preventing intrusion, the method is applied to an access device, where the access device includes an interface, and the interface is used by the terminal to access the network where the access device is located through the interface. The methods include:
    所述接入设备确定满足触发事件,所述触发事件用于表示在所述接口处所述接入设备存在被入侵的风险;Determining that the triggering event is satisfied, the triggering event is used to indicate that the access device is invaded at the interface;
    所述接入设备将所述接口的工作模式设置为闭锁模式,所述闭锁模式用于阻止任何终端通过所述接口接入所述接入设备所在的网络。The access device sets the working mode of the interface to a blocking mode, where the blocking mode is used to prevent any terminal from accessing the network where the access device is located through the interface.
  2. 根据权利要求1所述的方法,其特征在于,所述接入设备具有接口状态监控功能,The method according to claim 1, wherein the access device has an interface status monitoring function.
    当确定所述接入设备已开启所述接口状态监控功能时,所述触发事件包括:所述接口的状态从UP变为DOWN,或者,所述接口的工作模式为运行模式、且所述接口处于DOWN的时长超过预设阈值,或者,所述接入设备重启;When it is determined that the interface device has enabled the interface state monitoring function, the triggering event includes: changing the state of the interface from UP to DOWN, or the working mode of the interface is an operating mode, and the interface is The duration of the DOWN exceeds a preset threshold, or the access device restarts;
    在所述接入设备正在开启所述接口状态监控功能时,所述触发事件包括:所述接口的状态为DOWN。The triggering event includes: the state of the interface is DOWN when the interface device is being enabled to perform the interface state monitoring function.
  3. 根据权利要求1或2所述的方法,其特征在于,所述方法还包括:The method according to claim 1 or 2, wherein the method further comprises:
    所述接入设备生成第一消息,所述第一消息用于指示所述接口的工作模式为闭锁模式;The access device generates a first message, where the first message is used to indicate that the working mode of the interface is a blocking mode;
    所述接入设备将所述第一消息发送至网络管理系统。The access device sends the first message to a network management system.
  4. 根据权利要求3所述的方法,其特征在于,在所述接入设备将所述第一消息发送至网络管理系统之后,还包括:The method according to claim 3, further comprising: after the access device sends the first message to the network management system,
    所述接入设备接收所述网络管理系统发送的第二消息,所述第二消息用于指示所述接入设备将所述接口的工作模式切换为运行模式;Receiving, by the access device, a second message sent by the network management system, where the second message is used to instruct the access device to switch an operation mode of the interface to an operation mode;
    所述接入设备根据所述第二消息,将所述接口的工作模式切换为运行模式。 The access device switches the working mode of the interface to an operating mode according to the second message.
  5. 根据权利要求1至4任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 4, further comprising:
    所述接入设备接收所述网络管理系统发送的第三消息,所述第三消息用于指示所述接口需要被调试;Receiving, by the access device, a third message sent by the network management system, where the third message is used to indicate that the interface needs to be debugged;
    所述接入设备根据所述第三消息,将所述接口的工作模式切换为调试模式。The access device switches the working mode of the interface to the debugging mode according to the third message.
  6. 一种接入设备,其特征在于,所述接入设备包括接口,所述接口用于终端通过所述接口接入所述接入设备所在的网络,所述接入设备包括:An access device, where the access device includes an interface, and the interface is used by the terminal to access the network where the access device is located through the interface, where the access device includes:
    确定单元,用于确定满足触发事件,所述触发事件用于表示在所述接口处所述接入设备存在被入侵的风险;a determining unit, configured to determine that a triggering event is used, where the triggering event is used to indicate that the access device is at risk of being invaded at the interface;
    设置单元,用于若所述确定单元确定满足触发事件,将所述接口的工作模式设置为闭锁模式,所述闭锁模式用于阻止任何终端通过所述接口接入所述接入设备所在的网络。a setting unit, configured to: if the determining unit determines that the triggering event is met, set the working mode of the interface to a blocking mode, where the blocking mode is used to prevent any terminal from accessing the network where the access device is located through the interface .
  7. 根据权利要求6所述的接入设备,其特征在于,所述接入设备具有接口状态监控功能,The access device according to claim 6, wherein the access device has an interface status monitoring function.
    当确定所述接入设备已开启所述接口状态监控功能时,所述触发事件包括:所述接口的状态从UP变为DOWN,或者,所述接口的工作模式为运行模式、且所述接口处于DOWN的时长超过预设阈值,或者,所述接入设备重启;When it is determined that the interface device has enabled the interface state monitoring function, the triggering event includes: changing the state of the interface from UP to DOWN, or the working mode of the interface is an operating mode, and the interface is The duration of the DOWN exceeds a preset threshold, or the access device restarts;
    在所述接入设备正在开启所述接口状态监控功能时,所述触发事件包括:所述接口的状态为DOWN。The triggering event includes: the state of the interface is DOWN when the interface device is being enabled to perform the interface state monitoring function.
  8. 根据权利要求6或7所述的接入设备,所述接入设备还包括:The access device according to claim 6 or 7, the access device further comprising:
    生成单元,用于生成第一消息,所述第一消息用于指示所述接口的工作模式为闭锁模式;a generating unit, configured to generate a first message, where the first message is used to indicate that an working mode of the interface is a blocking mode;
    发送单元,用于将所述生成单元生成的所述第一消息发送至网络管理系统。And a sending unit, configured to send the first message generated by the generating unit to a network management system.
  9. 根据权利要求8所述的接入设备,其特征在于,所述接入设备还包括: The access device according to claim 8, wherein the access device further comprises:
    接收单元,用于接收所述网络管理系统发送的第二消息,所述第二消息用于指示所述接入设备将所述接口的工作模式切换为运行模式;a receiving unit, configured to receive a second message sent by the network management system, where the second message is used to instruct the access device to switch an operating mode of the interface to an operating mode;
    所述设置单元,还用于根据所述接收单元接收的所述第二消息,将所述接口的工作模式切换为运行模式。The setting unit is further configured to switch an operation mode of the interface to an operation mode according to the second message received by the receiving unit.
  10. 根据权利要求6至9所述的接入设备,其特征在于,Access device according to claims 6 to 9, characterized in that
    所述接收单元,还用于接收所述网络管理系统发送的第三消息,所述第三消息用于指示所述接口需要被调试;The receiving unit is further configured to receive a third message sent by the network management system, where the third message is used to indicate that the interface needs to be debugged;
    所述设置单元,还用于根据所述接收单元接收的所述第三消息,将所述接口的工作模式切换为调试模式。 The setting unit is further configured to switch the working mode of the interface to the debugging mode according to the third message received by the receiving unit.
PCT/CN2015/070371 2014-02-28 2015-01-08 Anti-intrusion method and access device WO2015127831A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410070449.5 2014-02-28
CN201410070449.5A CN104883340B (en) 2014-02-28 2014-02-28 The method and access device of Intrusion prevention

Publications (1)

Publication Number Publication Date
WO2015127831A1 true WO2015127831A1 (en) 2015-09-03

Family

ID=53950675

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/070371 WO2015127831A1 (en) 2014-02-28 2015-01-08 Anti-intrusion method and access device

Country Status (2)

Country Link
CN (1) CN104883340B (en)
WO (1) WO2015127831A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835332A (en) * 2020-06-08 2020-10-27 上海美仁半导体有限公司 Programmable chip, unlocking method and household appliance

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105610588A (en) * 2015-12-18 2016-05-25 福建星网锐捷网络有限公司 Control method and device for dummy equipment
CN113347511B (en) * 2021-05-24 2023-05-12 广西电网有限责任公司 Method, device and system for defending hop-by-hop attack in optical transmission network

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764158A (en) * 2004-10-06 2006-04-26 三星电子株式会社 Differentiated intrusion detection in the network
CN101895543A (en) * 2010-07-12 2010-11-24 江苏华丽网络工程有限公司 Method for effectively defending flood attack based on network switching equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340240B (en) * 2008-08-26 2012-09-26 中兴通讯股份有限公司 Method and system for remote controlling status of optical module in optical network
CN102523348A (en) * 2011-12-19 2012-06-27 广东步步高电子工业有限公司 Device and method for unlocking mobile terminal

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764158A (en) * 2004-10-06 2006-04-26 三星电子株式会社 Differentiated intrusion detection in the network
CN101895543A (en) * 2010-07-12 2010-11-24 江苏华丽网络工程有限公司 Method for effectively defending flood attack based on network switching equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835332A (en) * 2020-06-08 2020-10-27 上海美仁半导体有限公司 Programmable chip, unlocking method and household appliance

Also Published As

Publication number Publication date
CN104883340B (en) 2018-10-12
CN104883340A (en) 2015-09-02

Similar Documents

Publication Publication Date Title
RU2764292C1 (en) Protection apparatus of an external terminal and protection system
US10445272B2 (en) Network function virtualization architecture with device isolation
CN107005543B (en) System and method for preventing unauthorized network intrusion
US8154987B2 (en) Self-isolating and self-healing networked devices
US9065799B2 (en) Method and apparatus for cyber security
US9298917B2 (en) Enhanced security SCADA systems and methods
US9800547B2 (en) Preventing network attacks on baseboard management controllers
US9485271B1 (en) Systems and methods for anomaly-based detection of compromised IT administration accounts
CN108681677A (en) Based on the double net computer methods of USB interface security isolation, apparatus and system
CN109086634A (en) A kind of BMC chip management method, system and BMC chip and storage medium
US20180375861A1 (en) Network Device Removal For Access Control and Information Security
TW201447638A (en) Secure bus system and bus system security method
WO2012041182A1 (en) Method and system for state switching
WO2015127831A1 (en) Anti-intrusion method and access device
WO2016072833A1 (en) System and method to disable factory reset
CN103164789A (en) Debug circuit structure provided with safety verification and achieving method of debug circuit structure provided with safety verification
US20180375873A1 (en) Network Device Isolation For Access Control and Information Security
US20140344888A1 (en) Network security apparatus and method
US11222116B2 (en) Heartbeat signal verification
US8321369B2 (en) Anti-intrusion method and system for a communication network
US20100132046A1 (en) Electronic Circuit for Securing Data Interchanges Between a Computer Station and a Network
CN105279455A (en) Security architecture of mobile device and running method of application
CN111814157B (en) Data security processing system, method, storage medium, processor and hardware security card
WO2021071590A1 (en) Secure installation of baseboard management controller firmware via a physical interface
CN108460267B (en) Computer network information safety device for teaching

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15756027

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15756027

Country of ref document: EP

Kind code of ref document: A1