CN101009597A - Subdivision method of the user network access style and network system - Google Patents
Subdivision method of the user network access style and network system Download PDFInfo
- Publication number
- CN101009597A CN101009597A CN 200610173220 CN200610173220A CN101009597A CN 101009597 A CN101009597 A CN 101009597A CN 200610173220 CN200610173220 CN 200610173220 CN 200610173220 A CN200610173220 A CN 200610173220A CN 101009597 A CN101009597 A CN 101009597A
- Authority
- CN
- China
- Prior art keywords
- subscriber
- outlet end
- server
- data message
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The disclosed method to detail surfing user type comprises: allocating monitor device to detect user outlet port data message, and disabling user accessing internet if deciding the outlet port as multiple-computer share; for user applying multiple-computer share, providing the enciphered channel built by server and user port to transmit data, and using the server to access network source. This invention can increase business value.
Description
Technical field
The present invention relates to the internet technique field, be specifically related to segment the method and the network system of user network access style.
Background technology
At present a lot of Internet users are from inserting access account of merchant's application, allow many computers on the internal lan share online.The online of local area network (LAN) Multi-computer Sharing all is to utilize network address translation NAT (Network Address Translation) mode to carry out usually: promptly have to a legal Internet protocol IP (Internet Protocol) address from inserting the merchant, each computer then uses inner private network IP address on the local area network (LAN).Private network IP address process network address translation with each computer in the local area network (LAN), become the NAT device of the local area network (LAN) port of export or the legitimate ip address of computer, and computers all on the local area network (LAN) are all finished by the NAT device or the computer of the local area network (LAN) port of export the visit of the Internet Intemet, and the data message that each computer sends in the local area network (LAN) (comprises the IP layer) and seems it all is to be sent by same main frame that obtains legitimate ip address below the IP layer like this.
Insert the merchant and consider for various reasons, the online of restriction Multi-computer Sharing is provided with monitoring of user's multimachine and restriction system, as netsniper Netsniper system.When the monitoring equipment in user's multimachine monitoring and the restriction system detects the user and has used many computers to share an access account to surf the Net, will send message to the Network Management Equipment in this system, cut off the access internet authority of this account number by Network Management Equipment automatically.Be specially, the content that all data message IP layers that the monitoring equipment monitoring users port of export sends are above therefrom parses the IP address or hostname information of transmitting terminal computer.If parse the source IP address that contains in the data message or host name more than 1, can judge that then the user has used many computer internets.This moment, monitoring equipment sent report message to Network Management Equipment, and Network Management Equipment cuts off the access internet authority of this account number automatically, did not allow account user online.
But, at present a lot of users have the demand of Multi-computer Sharing online, the simple said method limited subscriber that adopts carries out the Multi-computer Sharing online, be equivalent to ignore the demand of user's this respect, and the user may adopt the whole bag of tricks to break through the restriction that inserts the merchant, if insert the service that the merchant could this type of user and the user that a computer internet is only arranged be provided and provide differentiation, can realize professional increment.
Summary of the invention
The technical problem that the embodiment of the invention solves provides the method and the network system of segmentation user network access style, can distinguish the type of user's online, for the user provides differentiated service.
For solving the problems of the technologies described above, the present invention is achieved by the following technical solutions:
According to an aspect of the present invention, a kind of method of segmenting user network access style is provided, comprise: dispose the data message that monitoring equipment detects the transmission of subscriber's outlet end, when judging that the subscriber's outlet end is the Multi-computer Sharing online, forbid this subscriber's outlet end access internet resource by Network Management Equipment; User to application Multi-computer Sharing business of networking, the encryption tunnel transmission ciphered data of being set up by server and subscriber's outlet end message is provided, the corresponding deciphering of data message of server and subscriber's outlet end to receiving separately, and finish visit to Internet resources by server.
Described encryption and deciphering comprise adopts public key algorithm or key algorithm.
Set up encryption tunnel behind the identical tunnel protocol of described subscriber's outlet end and server configuration.
Described tunnel protocol comprises Secure Shell SSH agreement or secure internet tunnel-mode ipsec agreement.
When disposing Secure Shell SSH agreement between described subscriber's outlet end and server, the subscriber's outlet end is by the client-side program Configuration Agent serve port of Secure Shell SSH agreement.
Described subscriber's outlet end is the computer or the special-purpose outlet network equipment.
According to a further aspect in the invention, provide a kind of network system of segmenting user network access style: comprise monitoring equipment, Network Management Equipment, subscriber's outlet end and server; Monitoring equipment is used to detect the data message that the subscriber's outlet end transmits, and when judging that the subscriber's outlet end is the Multi-computer Sharing online, reporting message is given Network Management Equipment; Network Management Equipment is forbidden this subscriber's outlet end access internet resource after being used to receive described reporting message; The subscriber's outlet end is used for after application Multi-computer Sharing business of networking the data message being encrypted, and sets up encryption tunnel transmission ciphered data message, the ciphered data message and the corresponding deciphering of reception server transmission with server; Server, be used for the data message is encrypted, set up encryption tunnel transmission ciphered data message with the subscriber's outlet end after the application Multi-computer Sharing business of networking, receive the ciphered data message and the corresponding deciphering of the transmission of subscriber's outlet end, finish visit Internet resources.
Described subscriber's outlet end comprises first ciphering unit, dispensing unit, first transmission unit and first decrypting device, and first ciphering unit is used to adopt public key algorithm or key algorithm to the data message that sends is encrypted; Dispensing unit is used to dispose the tunnel protocol identical with server, set up and server between encryption tunnel; First transmission unit is used for sending to server by the first ciphering unit ciphered data message through described encryption tunnel with described, and the ciphered data message of reception server transmission; First decrypting device, the cryptographic algorithm that is used for adopting according to server is decrypted the ciphered data message that receives.
Described server comprises second transmission unit, second decrypting device, second ciphering unit and addressed location, second transmission unit, be used to receive the ciphered data message that sends by the subscriber's outlet end, and send by the second ciphering unit ciphered data message to the subscriber's outlet end; Second decrypting device, the cryptographic algorithm that is used for being adopted according to the subscriber's outlet end is decrypted the ciphered data message that receives; Second ciphering unit is used to adopt public key algorithm or key algorithm that the data message that will send to the subscriber's outlet end is encrypted; Addressed location is used for according to the data message access internet resource after the deciphering.
Described subscriber's outlet end is the computer or the special-purpose outlet network equipment.
From the technical scheme of the above embodiment of the invention as can be seen:
The embodiment of the invention is by disposing the data message that monitoring equipment detects the transmission of subscriber's outlet end, when judging that the subscriber's outlet end is the Multi-computer Sharing online, forbid this subscriber's outlet end access internet resource, can realize restriction like this illegal Multi-computer Sharing Internet user by Network Management Equipment; And to applying for the user of Multi-computer Sharing business of networking, the encryption tunnel transmission ciphered data of being set up by server and subscriber's outlet end message then is provided, the corresponding deciphering of data message of server and subscriber's outlet end to receiving separately, finish visit by server to Internet resources, thus the influence of monitoring equipment of not disposed and Network Management Equipment.By the technical scheme that the embodiment of the invention provides, insert the merchant and can segment user network access style, distinguished the situation of illegally shared online of user and legal shared online, and for different user provides differentiated service, thereby realize professional increment.
Description of drawings
Fig. 1 is embodiment of the invention segmentation user network access style method flow diagram;
Fig. 2 is for providing the cryptographic services flow chart in the embodiment of the invention segmentation user network access style method;
Fig. 3 is for providing cryptographic services embodiment one flow chart in the embodiment of the invention segmentation user network access style method;
Fig. 4 is for providing cryptographic services embodiment two flow charts in the embodiment of the invention segmentation user network access style method;
Fig. 5 is the network architecture schematic diagram of embodiment of the invention segmentation user network access style.
Embodiment
The embodiment of the invention provides the method for segmentation user network access style, can distinguish the type of user's online, for the user provides differentiated service.
Insert the merchant after having disposed monitoring of user's multimachine and restriction system, can dispose a system that can break through Multi-computer Sharing online restriction for the user who has applied for the Multi-computer Sharing business of networking again, if the user has many computers need share an access account online, and payment request is opened the service of Multi-computer Sharing online, then provide the safety encipher tunnel for this user, guarantee that they can normally surf the Net, be not subjected to the original user's multimachine monitoring disposed and the influence of restriction system.Can use how many platform computers to share online at most simultaneously as for the user, then can sign service agreement and arrange by access merchant and user.Like this, the domestic consumer of a computer and the multimachine user of the service that the application Multi-computer Sharing is surfed the Net are only arranged, be not subjected to the influence of monitoring of user's multimachine and restriction system, all can realize normal online, and do not apply for the multimachine user of Multi-computer Sharing service on net, monitoring of user's multimachine and the restriction system then disposed detect, thereby and are limited and can't surf the Net.
The embodiment of the invention provides the safety encipher tunnel for applying for the user who shares online, is to have utilized VPN (virtual private network) VPN (Virtual Private Networks) technology.VPN technologies utilize " encryption " technology and " tunnel " technology to guarantee to transmit safety of data.Tunneling technique is a kind of mode of passing through infrastructure Data transmission message between network of internet usage network.So-called tunnel, be meant when packed data message transmits on public internet network the logical path of process.Using the data message of tunnel transmission can be the Frame or the bag of different agreement.The equipment at two ends, tunnel need dispose identical tunnel protocol.
Embodiment of the invention method is being set up an encryption tunnel between the somewhere on subscriber's outlet end and the Internet, on this section path, all flows are all by safety encipher.The subscriber's outlet end can be outlet computer or special-purpose the outlet network equipment, for example switch or the router etc. of local area network (LAN).The somewhere here is to insert the encryption server that the merchant provides.Inserting original monitoring of user's multimachine and the restriction system of disposing of merchant is positioned on this section path, after the encryption tunnel of subscriber's outlet end and encryption server is set up, user's multimachine monitoring and restriction system institute can detectedly be a pile through encryption " mess code ", whether carry out the information that Multi-computer Sharing is surfed the Net thereby can't from the upper layer application protocol data message, obtain parsing the user.
Seeing also Fig. 1, is segmentation user network access style method flow diagram, specifically comprises step:
A1, deployment user multimachine monitoring and the restriction system limited subscriber port of export are shared online;
Be specially, the content more than all data message IP layers of the monitoring equipment monitoring users port of export transmission in user's multimachine monitoring and the restriction system therefrom parses the IP address or hostname information of transmitting terminal computer.If parse the source IP address that contains in the data message or host name more than 1, can judge that then the user has used many computer internets.The Network Management Equipment of monitoring equipment this moment in monitoring of user's multimachine and restriction system sends report message, and Network Management Equipment cuts off the access internet authority of this account number automatically, does not allow account user online.
A2, provide cryptographic services, realize sharing online for applying for the user who shares business of networking.
For the user who has applied for the Multi-computer Sharing business of networking, insert the merchant and provide cryptographic services for it, this type of user can normally be surfed the Net, be not subjected to the original user's multimachine monitoring disposed and the influence of restriction system.
Concrete steps are described with Fig. 2, comprise step:
A21, the data message that transmits between subscriber's outlet end and tunnel server is encrypted;
The user to access be purchased buy cryptographic services after, user's subscriber's outlet end disposes corresponding VPN and is provided with, the encryption server that provides with the access merchant is that tunnel server is set up encryption tunnel, and the data message that is sent by the subscriber's outlet end encrypted, and tunnel server also will be encrypted the data message that sends to the subscriber's outlet end.When setting up encryption tunnel, subscriber's outlet end and the identical tunnel protocol of tunnel server two ends configuration that the access merchant provides specifically can adopt various tunnel protocol, and the present invention is not limited.For example can utilize other tunnel protocols such as SSH agreement, ipsec protocol or ssl protocol to set up encryption tunnel.
Can select various cryptographic algorithm when data are encrypted, the present invention is not limited.For example can adopt public key algorithm or key algorithm.Public key algorithm is RSA Algorithm (Rivest-Shamir-Adleman), digital signature tailor-made algorithm DSA (Digital SignatureAlgorithm) etc. for example; Key algorithm is data encryption standard algorithm DES (Data EncryptionStandard), block cipher RC5, IDEA IDEA (International DataEncryption Algorithm) and Blowfish algorithm etc. for example.
A22, with the encryption tunnel transmission of ciphered data message by setting up between subscriber's outlet end and tunnel server;
The subscriber's outlet end sends to tunnel server with the data encrypted message by encryption tunnel, also is to transmit by encryption tunnel and tunnel server sends to the data encrypted message of subscriber's outlet end.
A23, receive subscriber's outlet end ciphered data message and deciphering back access internet resource by tunnel server.
The data message of each computer in the local area network (LAN) is all encrypted after encryption tunnel is transferred to tunnel server at the subscriber's outlet end, finishes the visit to Internet resources after finally the cryptographic algorithm correspondence that is adopted according to the subscriber's outlet end by tunnel server is decrypted.In addition, the subscriber's outlet termination is received and also correspondingly behind the ciphered data message that tunnel server sends to be decrypted according to the cryptographic algorithm that tunnel server adopted.In general, the algorithm of the encryption and decryption adopted of subscriber's outlet end and tunnel server all is the same.
Because the data message of all transmission is all encrypted between subscriber's outlet end and tunnel server, inserting monitoring of user's multimachine and the restriction system institute that the merchant self disposes can detectedly be a pile process encryption " mess code ", can't the resolution data message content, cannot analyse the user and used many computer internets.That is to say that the Multi-computer Sharing business of networking has been opened in the user charges application, insert the merchant, guarantee that they can normally surf the Net, be not subjected to the original user's multimachine monitoring disposed and the influence of restriction system in addition for this user provides the safety encipher tunnel.For inserting the merchant, the technology that adopts and dispose two kinds " mutual exclusions " has simultaneously been segmented Internet user's type, for a computer internet only being arranged and having many computers to share the service that the different user of surfing the Net provides differentiation, has realized professional increment.
The present invention below introduces each specific embodiment for the user of application Multi-computer Sharing business of networking provides cryptographic services that different implementations can be arranged.
Introduce embodiment one earlier, utilize Secure Shell SSH (Secure Shell) agreement to set up encryption tunnel, realize sharing online.Secure Shell SSH agreement, be gang's agreement that the network work group (Network Working Group) of the Internet engineering duty group IETF (InternetEngineering Task Force) is formulated, its objective is Telnet and other secure network services that will on unsecured network, provide safe.The SSH agreement is supported authentication and data encryption, and the data of all transmission are carried out encryption.The implementation of SSH agreement has a lot, such as the OpenSSH software of open source code, commercial softwares such as Tectia, SecureCRT.Their configuration and using method are all fairly simple, and support compression function, make actual efficiency of transmission not descend because of the expense of SSH agreement.
See also Fig. 3, provide the flow chart of cryptographic services embodiment one, specifically comprise step:
B1, the data message that transmits between subscriber's outlet end and SSH server is encrypted;
The client-side program of operation SSH agreement inserts the merchant SSH server is set on the internet on the subscriber's outlet end.Subscriber's outlet end and SSH server by utilizing SSH agreement are set up encryption tunnel, and the data message that transmits between subscriber's outlet end and SSH server is encrypted.
Set up the tunnel, at first the service routine of SSH server operation SSH agreement, for example the sshd program of OpenSSH; And the customer is the client-side program of subscriber's outlet end with " dynamic port forwarding " mode operation SSH agreement.SSH with OpenSSH is applied as example, and its order line and parameter are: ssh-D1080 server_name; Wherein server_name is the host name or the IP address of SSH server.This order will be opened 1080 ports of subscriber's outlet end, as socks agency service port.For each computer in the local area network (LAN), use be exactly the socks agency of this application layer.Upper level applications is as long as support the Socks agency not to be affected, Chang Yong IE browser device/FireFox browser device/netscape browser for example, and chat tool MSN/QQ, mailbox software Outlook Express/Foxmail etc. can both normally move.
Can select various cryptographic algorithm when the data message is encrypted, the present invention is not limited.For example can adopt public key algorithm or key algorithm.
B2, with the encryption tunnel transmission of ciphered data message by setting up between subscriber's outlet end and SSH server;
The subscriber's outlet end sends to the SSH server with the data encrypted message by encryption tunnel, also is to transmit by encryption tunnel and the SSH server sends to the data encrypted message of subscriber's outlet end.
B3, receive subscriber's outlet end ciphered data message and deciphering back access internet resource by the SSH server.
The data message of each computer in the local area network (LAN) is all encrypted after encryption tunnel is transferred to the SSH server at the subscriber's outlet end, finishes the visit to Internet resources after finally the cryptographic algorithm correspondence that is adopted according to the subscriber's outlet end by the SSH server is decrypted.In addition, the also corresponding cryptographic algorithm that is adopted according to the SSH server is decrypted behind the ciphered data message of subscriber's outlet termination receipts SSH server transmission.
Because all data messages of subscriber's outlet end and SSH Server Transport are all encrypted, the monitoring of user's multimachine and the restriction system institute that insert the merchant can detectedly be a pile process encryptions " mess code ", can't the resolution data message content, cannot analyse the user and used many computer internets.
Then introduce embodiment two, utilize secure internet tunnel-mode ipsec agreement to set up encryption tunnel, realize sharing online.Ipsec protocol belongs to the 3rd layer tunnel protocol, supports the safe transmission of data on the IP network.Ipsec protocol is supported data are encrypted, and guarantees the integrality of data simultaneously.An ipsec tunnel is made up of a tunnel client end and tunnel server, and two ends all dispose the use ipsec protocol, adopts and consults encryption mechanism.
See also Fig. 4, provide cryptographic services embodiment two flow charts, specifically comprise step:
C1, to encrypting by the data message that transmits between subscriber's outlet end and ipsec server;
Insert the merchant ipsec server is set on the internet.Subscriber's outlet end and ipsec server two ends all dispose ipsec protocol, utilize ipsec protocol to set up encryption tunnel, and to encrypting by the data message that transmits between subscriber's outlet end and ipsec server.
Can select various cryptographic algorithm when the data message is encrypted, the present invention is not limited.For example can adopt public key algorithm or key algorithm.
C2, with the encryption tunnel transmission of ciphered data message by setting up between subscriber's outlet end and ipsec server;
The subscriber's outlet end sends to ipsec server with the data encrypted message by encryption tunnel, also is to transmit by encryption tunnel and ipsec server sends to the data encrypted message of subscriber's outlet end.
C3, receive subscriber's outlet end ciphered data message and deciphering back access internet resource by ipsec server.
The data message of each computer in the local area network (LAN) is all encrypted after encryption tunnel is transferred to ipsec server at the subscriber's outlet end, finishes the visit to Internet resources after finally the cryptographic algorithm correspondence that is adopted according to the subscriber's outlet end by ipsec server is decrypted.In addition, the subscriber's outlet termination is received and also correspondingly behind the ciphered data message that ipsec server sends to be decrypted according to the cryptographic algorithm that ipsec server adopted.
Because all data messages that transmit between subscriber's outlet end and ipsec server are all encrypted, the monitoring of user's multimachine and the restriction system institute that insert the merchant can detectedly be a pile process encryptions " mess code ", can't the resolution data message content, cannot analyse the user and used many computer internets.
Need to prove, foregoing has been introduced to have applied for that the user of Multi-computer Sharing business of networking sets up encryption tunnel, utilize encryption tunnel between subscriber's outlet end and tunnel server, to transmit the ciphered data message, finally finish visit by tunnel server to Internet resources, thereby realize sharing two kinds of specific implementations that online is carried out, but be not limited thereto, can also utilize other tunnel protocols such as secure socket layer protocol layer SSL (SecureSockets Layer) agreement to set up encryption tunnel, realize sharing online, its principle is the same.
Foregoing describes the specific implementation method that the present invention segments user network access style in detail, and corresponding, the embodiment of the invention also provides a kind of network system of segmenting user network access style, can distinguish user network access style.
Seeing also Fig. 5, is the network architecture schematic diagram of embodiment of the invention segmentation user network access style.
As shown in Figure 5, the network system of the embodiment of the invention comprises subscriber's outlet end 10, server 20 and monitoring of user's multimachine and restriction system 30.
Subscriber's outlet end 10 is used for after application Multi-computer Sharing business of networking the data message being encrypted, and sets up encryption tunnel transmission ciphered data message, the ciphered data message and the corresponding deciphering of reception server 20 transmission with server 20.Server 20, be used for the data message is encrypted, set up encryption tunnel transmission ciphered data message with the subscriber's outlet end 10 after the application Multi-computer Sharing business of networking, receive the ciphered data message and the corresponding deciphering of 10 transmission of subscriber's outlet end, finish visit Internet resources.
Subscriber's outlet end 10 is computer or special-purpose the outlet network equipment, for example switch and router etc.Subscriber's outlet end 10 comprises first ciphering unit 101, dispensing unit 102, first transmission unit 103 and first decrypting device 104.First ciphering unit 101 is used to adopt public key algorithm or key algorithm to the data message that sends is encrypted; Dispensing unit 102, be used to dispose the tunnel protocol identical with server 20, set up and the encryption tunnel of 20 of servers, specifically can adopt various tunnel protocol, the present invention is not limited, and for example can utilize other tunnel protocols such as SSH agreement, ipsec protocol or ssl protocol to set up encryption tunnel; First transmission unit 103 is used for sending to server 20 by first ciphering unit, 101 ciphered data messages through described encryption tunnel with described, and the ciphered data message of reception server 20 transmissions; First decrypting device 104, the cryptographic algorithm that is used for being adopted according to server 20 is decrypted the ciphered data message that receives.
Server 20 provides by inserting the merchant, comprises second transmission unit 201, second decrypting device 202, second ciphering unit 203 and addressed location 204.Second transmission unit 201 is used to receive the ciphered data message that is sent by subscriber's outlet end 10, and sends by second ciphering unit, 203 ciphered data messages to subscriber's outlet end 10; Second decrypting device 202, the cryptographic algorithm that is used for being adopted according to subscriber's outlet end 10 is decrypted the ciphered data message that receives; Second ciphering unit 203 is used to adopt public key algorithm or key algorithm that the data message that will send to subscriber's outlet end 10 is encrypted; Addressed location 204 is used for according to the data message access internet resource after the deciphering.
Monitoring of user's multimachine and restriction system 30 comprise monitoring equipment 301 and Network Management Equipment 302.Monitoring equipment 301 is used to detect the data message that subscriber's outlet end 10 sends, and judges that when subscriber's outlet end 10 was surfed the Net for Multi-computer Sharing, reporting message was given Network Management Equipment 302; Network Management Equipment 302 is forbidden this subscriber's outlet end 10 access internet resources after being used to receive described reporting message.Monitoring equipment 301 specifically is the above content of all data message IP layers of the monitoring users port of export 10 transmission, therefrom parses the IP address or hostname information of transmitting terminal computer.If parse the source IP address that contains in the data message or host name more than 1, can judge that then the user has used many computer internets.
Monitoring of user's multimachine and restriction system 30 are disposed by inserting the merchant, are used for limited subscriber and only apply for a network connection account number and realize the Multi-computer Sharing online.If the user has many computers need share an access account online, and payment request is opened the Multi-computer Sharing business of networking, inserting the merchant can transmit the ciphered data message for this user provides the encryption tunnel of being set up by server 20 and subscriber's outlet end 10, finally finishes visit to Internet resources by server 20.
Because all data messages of server 20 and 10 transmission of subscriber's outlet end are all encrypted, user's multimachine monitoring that the access merchant disposes self and 30 energy of restriction system are detected to be that a pile is through encryption " mess code ", can't the resolution data message content, cannot analyse the user and used many computer internets, thereby be not subjected to the original user's multimachine monitoring disposed and the influence of restriction system 30.If the user does not apply for the Multi-computer Sharing business of networking, monitoring of user's multimachine and the restriction system 30 then disposed detect, thereby and are limited and can't surf the Net.
For inserting the merchant, adopt and dispose the system of two kinds " mutual exclusions " simultaneously, segmented Internet user's type, for a computer internet only being arranged and having many computers to share the service that the different user of surfing the Net provides differentiation, realized professional increment.
More than the method and the network system of segmentation user network access style provided by the present invention is described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (10)
1, a kind of method of segmenting user network access style is characterized in that, comprising:
Dispose the data message that monitoring equipment detects the transmission of subscriber's outlet end, when judging that the subscriber's outlet end is the Multi-computer Sharing online, forbid this subscriber's outlet end access internet resource by Network Management Equipment;
User to application Multi-computer Sharing business of networking, the encryption tunnel transmission ciphered data of being set up by server and subscriber's outlet end message is provided, the corresponding deciphering of data message of server and subscriber's outlet end to receiving separately, and finish visit to Internet resources by server.
2, the method for segmentation user network access style according to claim 1 is characterized in that:
Described encryption and deciphering comprise adopts public key algorithm or key algorithm.
3, the method for segmentation user network access style according to claim 1 and 2 is characterized in that:
Set up encryption tunnel behind the identical tunnel protocol of described subscriber's outlet end and server configuration.
4, the method for segmentation user network access style according to claim 3 is characterized in that:
Described tunnel protocol comprises Secure Shell SSH agreement or secure internet tunnel-mode ipsec agreement.
5, the method for segmentation user network access style according to claim 4 is characterized in that:
When disposing Secure Shell SSH agreement between described subscriber's outlet end and server, the subscriber's outlet end is by the client-side program Configuration Agent serve port of Secure Shell SSH agreement.
6, the method for segmentation user network access style according to claim 1 is characterized in that:
Described subscriber's outlet end is the computer or the special-purpose outlet network equipment.
7, a kind of network system is characterized in that:
Comprise monitoring equipment, Network Management Equipment, subscriber's outlet end and server;
Monitoring equipment is used to detect the data message that the subscriber's outlet end transmits, and when judging that the subscriber's outlet end is the Multi-computer Sharing online, reporting message is given Network Management Equipment;
Network Management Equipment is forbidden this subscriber's outlet end access internet resource after being used to receive described reporting message;
The subscriber's outlet end is used for after application Multi-computer Sharing business of networking the data message being encrypted, and sets up encryption tunnel transmission ciphered data message, the ciphered data message and the corresponding deciphering of reception server transmission with server;
Server, be used for the data message is encrypted, set up encryption tunnel transmission ciphered data message with the subscriber's outlet end after the application Multi-computer Sharing business of networking, receive the ciphered data message and the corresponding deciphering of the transmission of subscriber's outlet end, finish visit Internet resources.
8, network system according to claim 7 is characterized in that:
Described subscriber's outlet end comprises first ciphering unit, dispensing unit, first transmission unit and first decrypting device,
First ciphering unit is used to adopt public key algorithm or key algorithm to the data message that sends is encrypted;
Dispensing unit is used to dispose the tunnel protocol identical with server, set up and server between encryption tunnel;
First transmission unit is used for sending to server by the first ciphering unit ciphered data message through described encryption tunnel with described, and the ciphered data message of reception server transmission;
First decrypting device, the cryptographic algorithm that is used for adopting according to server is decrypted the ciphered data message that receives.
9, according to claim 7 or 8 described network systems, it is characterized in that:
Described server comprises second transmission unit, second decrypting device, second ciphering unit and addressed location,
Second transmission unit is used to receive the ciphered data message that is sent by the subscriber's outlet end, and sends by the second ciphering unit ciphered data message to the subscriber's outlet end;
Second decrypting device, the cryptographic algorithm that is used for being adopted according to the subscriber's outlet end is decrypted the ciphered data message that receives;
Second ciphering unit is used to adopt public key algorithm or key algorithm that the data message that will send to the subscriber's outlet end is encrypted;
Addressed location is used for according to the data message access internet resource after the deciphering.
10, network system according to claim 7 is characterized in that:
Described subscriber's outlet end is the computer or the special-purpose outlet network equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610173220 CN101009597A (en) | 2006-12-30 | 2006-12-30 | Subdivision method of the user network access style and network system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610173220 CN101009597A (en) | 2006-12-30 | 2006-12-30 | Subdivision method of the user network access style and network system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101009597A true CN101009597A (en) | 2007-08-01 |
Family
ID=38697760
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610173220 Pending CN101009597A (en) | 2006-12-30 | 2006-12-30 | Subdivision method of the user network access style and network system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101009597A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102843375A (en) * | 2012-09-07 | 2012-12-26 | 沈阳通用软件有限公司 | Method for controlling network access based on identification in IP (Internet Protocol) protocol |
| CN103729600A (en) * | 2012-10-11 | 2014-04-16 | 北京中天安泰信息科技有限公司 | Data security interconnected system establishing method and data security interconnected system |
| CN108574607A (en) * | 2017-03-08 | 2018-09-25 | 中兴通讯股份有限公司 | Shared verification detection method and device based on Virtual Private Network |
-
2006
- 2006-12-30 CN CN 200610173220 patent/CN101009597A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102843375A (en) * | 2012-09-07 | 2012-12-26 | 沈阳通用软件有限公司 | Method for controlling network access based on identification in IP (Internet Protocol) protocol |
| CN102843375B (en) * | 2012-09-07 | 2014-11-26 | 沈阳通用软件有限公司 | Method for controlling network access based on identification in IP (Internet Protocol) protocol |
| CN103729600A (en) * | 2012-10-11 | 2014-04-16 | 北京中天安泰信息科技有限公司 | Data security interconnected system establishing method and data security interconnected system |
| CN103729600B (en) * | 2012-10-11 | 2016-03-23 | 中天安泰(北京)信息技术有限公司 | Data security interacted system method for building up and data security interacted system |
| CN108574607A (en) * | 2017-03-08 | 2018-09-25 | 中兴通讯股份有限公司 | Shared verification detection method and device based on Virtual Private Network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
| CN1833403B (en) | Communication system, communication device and communication method | |
| CN101300806B (en) | System and method for processing secure transmissions | |
| JP3688830B2 (en) | Packet transfer method and packet processing apparatus | |
| CN101682656B (en) | Method and apparatus for protecting the routing of data packets | |
| US7890760B2 (en) | Secure method of termination of service notification | |
| US8364772B1 (en) | System, device and method for dynamically securing instant messages | |
| CN101299665B (en) | Message processing method, system and apparatus | |
| US8687613B2 (en) | Method and system for peer to peer wide area network communication | |
| CN102088441B (en) | Data encryption transmission method and system for message-oriented middleware | |
| CN101529805A (en) | Relay device | |
| CN100580652C (en) | Method and device for fiber-optical channel public transmission secret protection | |
| CN102088352B (en) | Data encryption transmission method and system for message-oriented middleware | |
| CN111194541B (en) | Apparatus and method for data transmission | |
| CN114938312A (en) | Data transmission method and device | |
| WO2004102871A1 (en) | A process for secure communication over a wireless network, related network and computer program product | |
| CN101009597A (en) | Subdivision method of the user network access style and network system | |
| KR100582409B1 (en) | Method for creating Encryption Key in Wireless LAN | |
| JPH1141280A (en) | Communication system, vpn repeater and recording medium | |
| CN103581034A (en) | Message mirroring and encrypted transmitting method | |
| US20080222693A1 (en) | Multiple security groups with common keys on distributed networks | |
| CN108809888B (en) | Safety network construction method and system based on safety module | |
| Fu et al. | ISCP: Design and implementation of an inter-domain Security Management Agent (SMA) coordination protocol | |
| KR0171003B1 (en) | Information protecting protocol | |
| Aura et al. | Communications security on the Internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |