CN101631121A - Message control method and access equipment in endpoint admission defense - Google Patents
Message control method and access equipment in endpoint admission defense Download PDFInfo
- Publication number
- CN101631121A CN101631121A CN200910091725A CN200910091725A CN101631121A CN 101631121 A CN101631121 A CN 101631121A CN 200910091725 A CN200910091725 A CN 200910091725A CN 200910091725 A CN200910091725 A CN 200910091725A CN 101631121 A CN101631121 A CN 101631121A
- Authority
- CN
- China
- Prior art keywords
- acl
- uplink message
- mark
- message
- destination address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention provides a message control method and access equipment in endpoint admission defense. The message control method comprises the following steps: sending an isolation ACL and a security ACL at an output port; sending a first type ACL to a user terminal failed in the security stage authentication at an input port, and sending a second type ACL to the user terminal passing the security stage authentication; setting a first sign for ascending messages matched with the first type ACL and received at the input port, then forwarding the first sign to the output port, setting a second sign for ascending messages matched with the second type ACL and received at the input port, and then forwarding the second sign to the output port; and forwarding the ascending message matched with isolation ACL or the security ACL at the output port. The invention can reduce the quantity of ACL sent by the access equipment and further strengthen the access ability of the access equipment to the user terminal.
Description
Technical field
The invention belongs to data communication technology field, relate in particular to a kind of endpoint admission defense (EndpointAdmission Defense, EAD) message control method in and access device.
Background technology
The basic function of EAD is that the interlock by security client, safety interaction equipment (as switch, router), Security Policy Server and antivirus server, patch server realizes, its basic principle as shown in Figure 1:
When (1) user terminal is attempted access network, at first cooperated by safety interaction equipment (access device) and Security Policy Server by security client and carry out authenticating user identification, the disabled user will be rejected access network;
(2) Security Policy Server issues security strategy to validated user, and requires validated user to carry out the safe condition authentication;
(3) security client detects the patch release of validated user, virus base version etc., and the result of security strategy inspection is reported Security Policy Server;
(4) Security Policy Server is controlled user's access rights according to check result:
The underproof user of safe condition will be isolated isolated area by safety interaction equipment, the user who enters isolated area can only visit the resource of appointment, for example, the ftp servers of patch server, virus server, inside etc. are (by Access Control List (ACL) (Access Control List, ACL) control), and carry out the upgrading of the reparation of system and patch, virus base by the resource of visiting these appointments, qualified up to safe condition;
The user that safe condition is qualified will implement the security set that issued by Security Policy Server, and provide network service based on identity by safety interaction equipment, and at this moment, the user can visit most of Internet resources (controlling by ACL).
From the major function of EAD and basic principle as can be seen, EAD is integrated into network security measures such as terminal security measures such as terminal anti-virus, patch reparation and network insertion control, access rights control the security system of an interlock, by inspection, isolation, reparation, management and monitoring to the network insertion terminal, make whole network become Passive Defence and be initiatively defence, become the single-point defence and be all-around defense, variation is loose management for the centralized policy management, has promoted the whole defence capability of network to emerging security threats such as virus, worms.
The implementation of current EAD all is to realize by issue a large amount of ACL at access interface to user's access control.For example, under certain practical application scene, be in the user terminal of isolated area, need issue 12 following ACL control that conducts interviews at the access interface of this user terminal for each:
acl?number?3099
rule?0?deny?ip
rule?1?permit?udp?destination-port?eq?bootps
rule?2?permit?udp?destination-port?eq?bootpc
rule?3?permit?ip?destination?10.153.0.1240
rule?4?permit?ip?destination?10.153.0.1230
rule?5?permit?ip?destination?10.154.240.110
rule?6?permit?ip?destination?10.72.65.360
rule?7?permit?ip?destination?10.153.0.620
rule?8?permit?ip?destination?10.153.0.600
rule?9?permit?ip?destination?10.153.0.610
rule?10?permit?ip?destination?10.72.66.360
rule?11?permit?ip?destination?10.72.66.370
As seen, present realization too relies on ACL.Under the applied environment of complexity, after each user reached the standard grade, access device all will issue many ACL, generally can be up to the 10-15 bar.And the ACL resource-constrained that the hardware chip of access device can be supported, when each user needs access device to issue many ACL, its number of users that can insert will significantly reduce.
Summary of the invention
Technical problem to be solved by this invention provides message control method and the access device in a kind of endpoint admission defense, issues the quantity of ACL with the minimizing access device, and then increases the access capability of access device to user terminal.
For solving the problems of the technologies described above, it is as follows to the invention provides technical scheme:
Message control method in a kind of endpoint admission defense comprises the steps:
Issue on outbound port and isolate class ACL and security classes ACL, the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address that allows; The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows;
On inbound port, issue first kind ACL for the user terminal that does not authenticate by safe condition, for the user terminal by the safe condition authentication issues the second type ACL, the matched rule of the described first kind ACL and the second type ACL is: whether the source address of judging uplink message is the source address that allows;
Be forwarded to outbound port after the uplink message of the coupling first kind ACL that receives at inbound port is provided with first mark, be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark;
At outbound port the uplink message that mates described isolation class ACL or described security classes ACL is transmitted.
Above-mentioned message control method, wherein, described first mark and second is labeled as the priority in the differentiated services code points (DSCP) of message, perhaps, is the priority in the 802.1P protocol header of message.
Above-mentioned message control method, wherein, described first mark and second is labeled as the value of the field that increases in heading; Described method also comprises: before the uplink message that mates described isolation class ACL or described security classes ACL is transmitted, delete the field of the described increase in this uplink message.
Above-mentioned message control method, wherein, described source address is the MAC Address of user terminal.
Message control method in a kind of endpoint admission defense comprises the steps:
Issue on the inbound port of the upstream equipment of access device and isolate class ACL and security classes ACL, the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address of permission; The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows;
On the inbound port of access device, issue first kind ACL for the user terminal that does not authenticate by safe condition, for the user terminal by the safe condition authentication issues the second type ACL, the matched rule of the described first kind ACL and the second type ACL is: whether the source address of judging uplink message is the source address that allows;
Access device is forwarded to outbound port after the uplink message of the coupling first kind ACL that receives at inbound port is provided with first mark, be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark, and the uplink message that is provided with first and second mark transmitted at outbound port;
Upstream equipment is transmitted the uplink message of the coupling that receives described isolation class ACL or described security classes ACL.
Access device in a kind of endpoint admission defense comprises:
The one ACL issues module, is used for issuing on outbound port isolating class ACL and security classes ACL, and the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address that allows; The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows;
The 2nd ACL issues module, be used on inbound port, issuing first kind ACL for the user terminal that does not authenticate by safe condition, for the user terminal by the safe condition authentication issues the second type ACL, the matched rule of described first kind ACL is: whether the source address of judging uplink message is the source address that allows; The matched rule of the described second type ACL is: whether the source address of judging uplink message is the source address that allows;
The 2nd ACL processing module, be used for being forwarded to outbound port after uplink message to the coupling first kind ACL that receives at inbound port is provided with first mark, be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark;
The one ACL processing module is used at outbound port the uplink message that mates described isolation class ACL or described security classes ACL being transmitted.
Above-mentioned access device, wherein, described first mark and second is labeled as the priority among the DSCP of message, perhaps, is the priority in the 802.1P protocol header of message.
Above-mentioned access device, wherein, described first mark and second is labeled as the value of the field that increases in heading; A described ACL processing module also is used for, and before the uplink message that mates described isolation class ACL or described security classes ACL is transmitted, deletes the field of the described increase in this uplink message.
Above-mentioned access device, wherein: described source address is the MAC Address of user terminal.
Access device in a kind of endpoint admission defense, issued on the inbound port of the upstream equipment of described access device and isolated class ACL and security classes ACL, the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address that allows; The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows; Described access device comprises:
ACL issues module, be used on inbound port, issuing first kind ACL for the user terminal that does not authenticate by safe condition, for the user terminal by the safe condition authentication issues the second type ACL, the matched rule of described first kind ACL is: whether the source address of judging uplink message is the source address that allows; The matched rule of the described second type ACL is: whether the source address of judging uplink message is the source address that allows;
The ACL processing module is used for being forwarded to outbound port after uplink message to the coupling first kind ACL that receives at inbound port is provided with first mark, and the uplink message that makes described upstream equipment isolate class ACL to the coupling that receives is transmitted; And
Be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark, make described upstream equipment transmit the uplink message of the coupling security classes ACL that receives.
The embodiment of the invention is divided by user terminal being carried out class, and use outbound port to issue ACL and come all are inserted user access control, access device issues the quantity of ACL when effectively having reduced user terminal EAD authentication, and then can increase the access capability of access device to user terminal.
Description of drawings
Fig. 1 is the basic principle schematic of endpoint admission defense;
Fig. 2 is the message control method flow chart in the endpoint admission defense of the embodiment of the invention one;
Fig. 3 is the message control method flow chart in the endpoint admission defense of the embodiment of the invention two;
Fig. 4 is the structural representation of the access device in the endpoint admission defense of the embodiment of the invention one;
Fig. 5 is the structural representation of the access device in the endpoint admission defense of the embodiment of the invention two.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the accompanying drawings and the specific embodiments.
The key of the embodiment of the invention is:
(1) user terminal being carried out class divides: isolate class, security classes, and use ACL, QoS to carry out the dynamic class mark at the inbound port (among the present invention, the inbound port of access device refers to the access interface of user terminal) of access device;
(2) at the outbound port of access device (among the present invention, the outbound port of access device refers to an access the interface that equipment connects network side, be the upper united mouth) carry out class control, outbound port should issue the ACL that isolates the class user, also to issue security classes user's ACL, adopt static state to issue and get final product, need not dynamically to issue, to reduce the Signalling exchange in the access device;
(3) for the access device of not supporting outbound port ACL, can issue in the inbound port static state of the upstream equipment that is attached thereto and isolate class ACL and security classes ACL, even if upstream equipment is competitor's equipment, can guarantee that also the integral body of EAD is disposed.
Fig. 2 is the message control method flow chart in the endpoint admission defense of the embodiment of the invention one, and this method is applied to comprise the steps: in the access device (that is, safety interaction equipment) among the EAD
Step 201: on outbound port, issue and isolate class ACL and security classes ACL;
Wherein, the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address that allows; The processing policy related with described isolation class ACL is: the uplink message for coupling is transmitted.
The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows; The processing policy related with described security classes ACL is: the uplink message for coupling is transmitted.
Step 202: be that the user terminal that does not authenticate by safe condition issues first kind ACL on inbound port, for the user terminal by the safe condition authentication issues the second type ACL;
The EAD authentication comprises authentication and safe condition authentication.When user terminal is attempted access network, at first carry out authentication: if user name or password mistake can not judge that this user is illegal by 802.1x or portal authentication, the disabled user will be rejected access; If username and password is correct, judge that then this user is legal.
Validated user will be required to carry out the safe condition authentication: whether Security Policy Server inspection user's patch release, virus base version etc. are qualified, do not pass through if check, Security Policy Server notice access device is placed into isolated area with this user, can only visit the resource of appointment, for example patch server, virus server, inner ftp server etc.The difference of the present invention and existing implementation method is, for the user who is in isolated area, directly do not issue a large amount of ACL control that conducts interviews at this user's access interface, isolate class but it is put under, that is, issue a first kind ACL for this user terminal.For the user terminal of other port, if be in isolation, also be to put it under isolation class, and be respectively each and user-isolatedly issue a first kind ACL.
If by the safe condition authentication, Security Policy Server notice access device is placed into place of safety with this user, except some access resources that limit can not be visited, can visit most of Internet resources.In such cases, the present invention and existing implementation method difference are, for the user who is in the place of safety, directly do not issue a large amount of ACL control that conducts interviews at this user's access interface, but put it under security classes, that is, and for this user terminal issues one second type ACL.For the user terminal of other port, if be in a safe condition, also be to put it under security classes, and be respectively each secured user and issue one second type ACL.
Wherein, the matched rule of described first kind ACL is: whether the source address of judging uplink message is the source address that allows; The processing policy related with described first kind ACL is: be forwarded to outbound port after the uplink message that mates is provided with first mark.
The matched rule of the described second type ACL is: whether the source address of judging uplink message is the source address that allows; The processing policy related with the described second type ACL is: be forwarded to outbound port after the uplink message that mates is provided with second mark.
Step 203: be forwarded to outbound port after the uplink message of the coupling first kind ACL that receives at inbound port is provided with first mark, be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark;
Receive the uplink message of user terminal from inbound port after, at first carry out the coupling of ACL.Particularly, be source address with message, for example MAC Address is mated with the source address among the ACL, if the source address of uplink message is identical with source address among certain bar ACL, this uplink message and this ACL coupling is described then.
When uplink message and certain bar ACL coupling, carry out related with it processing policy.If with first kind ACL coupling, be forwarded to outbound port after then first mark being set in uplink message; If with second type ACL coupling, be forwarded to outbound port after then second mark being set in uplink message.
The embodiment of the invention provides following three kinds of modes to come uplink message is carried out mark.
Mode one is carried out mark by two priority of differentiated services code points (DSCP)
For example,, the DSCP of its uplink message is labeled as 1,, the DSCP of its uplink message is labeled as 2 for the user who is in the place of safety for the user who is in isolated area.The action of mark is to realize by issue an ACL at inbound port, for the uplink message of this ACL coupling, according to the processing policy of this ACL, its DSCP is carried out effective mark.Adopt this mode, at each user, only need issue an ACL at inbound port, the mark action of use QoS is cooperated to get final product, and compares existing implementation, and each user can save more than 10 ACL resource.
Mode two is carried out mark by two priority of 802.1P
For example,, the 802.1P protocol header of its uplink message is designated as 1,, the 802.1P protocol header of its uplink message is designated as 2 for the user who is in the place of safety for the user who is in isolated area.The action of mark is to realize by issue an ACL at inbound port, for the uplink message of this ACL coupling, according to the processing policy of this ACL, its 802.1P protocol header is carried out effective mark.Adopt this mode, at each user, only need issue an ACL at inbound port, the mark action of use QoS is cooperated to get final product, and compares existing implementation, and each user can save more than 10 ACL resource.
Mode three is carried out mark by increase a field in the heading of uplink message
For example, for the user who is in isolated area, going thereon increases a field in the heading of message, and is 1 with this field mark, and for the user who is in the place of safety, going thereon increases a field in the heading of message, and is 2 with this field mark.The action of mark is to realize by issue an ACL at inbound port, for the uplink message of this ACL coupling, according to the processing policy of this ACL, the field that increases in its heading is carried out effective mark.Adopt this mode, at each user, only need issue an ACL at inbound port, the mark action of use QoS is cooperated to get final product, and compares existing implementation, and each user can save more than 10 ACL resource.
Step 204: the uplink message that mates described isolation class ACL or described security classes ACL is transmitted at outbound port.
The uplink message of user terminal is carried out the coupling of ACL at outbound port.Particularly, be that the mark that will carry in the message and the mark among the ACL compare, the destination address of message and the destination address among the ACL are compared, if the mark that uplink message carries is identical with mark among certain bar ACL, and the destination address of this uplink message is identical with destination address among this ALC, and this uplink message and this ACL coupling then is described.When uplink message and certain bar ACL coupling, carry out related with it processing policy, that is, this uplink message is transmitted.
Need to prove that by increase the situation that a field is carried out mark in the heading of uplink message, the increase of this field can not influence the normal forwarding of message for aforesaid.Therefore, in step 201, the isolation class ACL of this kind situation correspondence and the processing policy of security classes ACL are: for the uplink message of coupling, transmit after deleting the field of the described increase in this uplink message.In this step, for the uplink message of coupling, carry out the processing policy under this kind situation.
Embodiment one requires the inbound port of access device and outbound port to support ACL, for the access device of not supporting outbound port ACL, the present invention also provides following embodiment two, that is, issue in the inbound port static state of the upstream equipment that links to each other with this access device and to isolate class ACL and security classes ACL.
Fig. 3 is the message control method flow chart in the endpoint admission defense of the embodiment of the invention two, this method be applied among the EAD access device and with upstream equipment that this access device links to each other in, comprise the steps:
Step 301: on the inbound port of the upstream equipment of access device, issue and isolate class ACL and security classes ACL;
Wherein, the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address that allows; The processing policy related with described isolation class ACL is: the uplink message for coupling is transmitted.
The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows; The processing policy related with described security classes ACL is: the uplink message for coupling is transmitted.
Step 302: be that the user terminal that does not authenticate by safe condition issues first kind ACL on the inbound port of access device, for the user terminal by the safe condition authentication issues the second type ACL;
Wherein, the matched rule of described first kind ACL is: whether the source address of judging uplink message is the source address that allows; The processing policy related with described first kind ACL is: be forwarded to outbound port after the uplink message that mates is provided with first mark.
The matched rule of the described second type ACL is: whether the source address of judging uplink message is the source address that allows; The processing policy related with the described second type ACL is: be forwarded to outbound port after the uplink message that mates is provided with second mark.
Step 303: access device is forwarded to outbound port after the uplink message of the coupling first kind ACL that receives at inbound port is provided with first mark, be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark, and the uplink message that is provided with first and second mark transmitted at outbound port;
Receive the uplink message of user terminal from inbound port after, at first carry out the coupling of ACL.Particularly, be source address with message, for example MAC Address is mated with the source address among the ACL, if the source address of uplink message is identical with source address among certain bar ACL, this uplink message and this ACL coupling is described then.
When uplink message and certain bar ACL coupling, carry out related with it processing policy.If with first kind ACL coupling, be forwarded to outbound port after then first mark being set in uplink message; If with second type ACL coupling, be forwarded to outbound port after then second mark being set in uplink message.
The mode of uplink message being carried out mark sees also embodiment one.
Outbound port at access device is transmitted the uplink message that is provided with first and second mark,, this uplink message is sent to the incoming interface of the upstream equipment that is attached thereto that is.
Step 304: upstream equipment is transmitted the uplink message of the coupling that receives described isolation class ACL or described security classes ACL.
Upstream equipment carries out the coupling of ACL to the uplink message of user terminal at inbound port.Particularly, be that the mark that will carry in the message and the mark among the ACL compare, the destination address of message and the destination address among the ACL are compared, if the mark that uplink message carries is identical with mark among certain bar ACL, and the destination address of this uplink message is identical with destination address among this ALC, and this uplink message and this ACL coupling then is described.When uplink message and certain bar ACL coupling, carry out related with it processing policy, that is, this uplink message is transmitted.
Need to prove that by increase the situation that a field is carried out mark in the heading of uplink message, the increase of this field can not influence the normal forwarding of message for aforesaid.Therefore, in step 301, the isolation class ACL of this kind situation correspondence and the processing policy of security classes ACL are: for the uplink message of coupling, transmit after deleting the field of the described increase in this uplink message.In this step, for the uplink message of coupling, carry out the processing policy under this kind situation.
Below the access device of realizing said method is described.
With reference to Fig. 4, the access device in the endpoint admission defense of the embodiment of the invention one comprises:
The one ACL issues module, is used for issuing on outbound port isolation class ACL and security classes ACL;
Wherein, the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address that allows; The processing policy related with described isolation class ACL is: the uplink message for coupling is transmitted;
The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows; The processing policy related with described security classes ACL is: the uplink message for coupling is transmitted.
The 2nd ACL issues module, is used on inbound port for the user terminal that does not authenticate by safe condition issues first kind ACL, for the user terminal by the safe condition authentication issues the second type ACL;
Wherein, the matched rule of described first kind ACL is: whether the source address of judging uplink message is the source address that allows; The processing policy related with described first kind ACL is: be forwarded to outbound port after the uplink message that mates is provided with first mark;
The matched rule of the described second type ACL is: whether the source address of judging uplink message is the source address that allows; The processing policy related with the described second type ACL is: be forwarded to outbound port after the uplink message that mates is provided with second mark.
The 2nd ACL processing module, be used for being forwarded to outbound port after uplink message to the coupling first kind ACL that receives at inbound port is provided with first mark, be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark;
The one ACL processing module is used at outbound port the uplink message that mates described isolation class ACL or described security classes ACL being transmitted.
Wherein, described first mark and second mark can be the priority among the DSCP of message, perhaps, are the priority in the 802.1P protocol header of message.
Described first mark and second mark also can be the value of the field that increases in heading.The isolation class ACL of this kind situation correspondence and the processing policy of security classes ACL are: for the uplink message of coupling, transmit after deleting the field of the described increase in this uplink message.Therefore, a described ACL processing module also is used for, and before the uplink message that mates described isolation class ACL or described security classes ACL is transmitted, deletes the field of the described increase in this uplink message.
Fig. 5 is the structural representation of the access device in the endpoint admission defense of the embodiment of the invention two, issued on the inbound port of the upstream equipment of described access device and isolated class ACL and security classes ACL, the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address that allows; The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows; Described access device comprises:
ACL issues module, be used on inbound port, issuing first kind ACL for the user terminal that does not authenticate by safe condition, for the user terminal by the safe condition authentication issues the second type ACL, the matched rule of described first kind ACL is: whether the source address of judging uplink message is the source address that allows; The matched rule of the described second type ACL is: whether the source address of judging uplink message is the source address that allows;
The ACL processing module is used for being forwarded to outbound port after uplink message to the coupling first kind ACL that receives at inbound port is provided with first mark, and the uplink message that makes described upstream equipment isolate class ACL to the coupling that receives is transmitted; And
Be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark, make described upstream equipment transmit the uplink message of the coupling security classes ACL that receives.
Be labeled as example with two priority to isolating class and security classes below, beneficial effect of the present invention is described by DSCP.
Among the present invention, no matter being to isolate class user or security classes user, all is that the outbound port (upper united mouth) that is placed on access device carries out to its access control, because customer access network will forward by outbound port.At outbound port, issue following isolation class ACL:
acl?number?3099
rule?0?deny?ip
rule?1?permit?udp?destination-port?eq?bootps
rule?2?permit?udp?destination-port?eq?bootpc
rule?3?permit?ip?dscp1?destination?10.153.0.1240
rule?4?permit?ip?dscp1?destination?10.153.0.1230
rule?5?permit?ip?dscp1?destination?10.154.240.110
rule?6?permit?ip?dscp1?destination?10.72.65.360
rule?7?permit?ip?dscp1?destination?10.153.0.620
rule?8?permit?ip?dscp1?destination?10.153.0.600
rule?9?permit?ip?dscp1?destination?10.153.0.610
rule?10?permit?ip?dscp1?destination?10.72.66.360
rule?11?permit?ip?dscp1?destination?10.72.66.370
For the security classes user, implementation method with isolate the class user class seemingly, its tag field is dscp 2.If access device has a plurality of outbound ports, need on these outbound ports, all issue corresponding isolation class ACL and security classes ACL.
Though the above-mentioned ACL that issues at inbound port in ACL that outbound port issues and prior art is similar,, prior art is dynamically to issue many ACL at inbound port at each user; And the present invention issues in outbound port static state to isolate class ACL and security classes ACL, wherein, isolates class ACL and isolates the class user at all, and security classes ACL is at all security classes users.Therefore the present invention, can save the ACL resource of access device owing to need not issue ACL at each user.
Need issue 12 ACL to isolate the class user, it is example that security classes user need issue 8 ACL, when inserting the user for 10, uses the situation contrast of ACL resource as follows technical scheme of the present invention and existing scheme:
What (1) use the ACL resource most is that all users are in isolation, and prior art need issue 12 ACL at each user's access interface respectively, needs to issue 120 ACL altogether; And the present invention only need issue 1 ACL at each user's access interface, is that the upper united mouth issues 12+8=20 bar ACL at outbound port, needs to issue 10 * 1+20=30 bar ACL altogether, compared with prior art, has saved 120-30=90 bar ACL.
What (2) save the ACL resource most is that all users are in a safe condition, and prior art need issue 8 ACL at each user's access interface respectively, need to issue 80 ACL altogether and; The present invention only need issue 30 ACL, compared with prior art, has saved 80-30=50 bar ACL.
When the access device upper united mouth more for a long time, for the present invention, the outbound port ACL resource of consumption can increase, still, if access customer number is many, the present invention still can save more ACL resource with respect to prior art.
Should be noted that at last, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not breaking away from the spiritual scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.
Claims (10)
1. the message control method in the endpoint admission defense is characterized in that, comprises the steps:
Issue on outbound port and isolate class access control list ACL and security classes ACL, the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address that allows; The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows;
On inbound port, issue first kind ACL for the user terminal that does not authenticate by safe condition, for the user terminal by the safe condition authentication issues the second type ACL, the matched rule of the described first kind ACL and the second type ACL is: whether the source address of judging uplink message is the source address that allows;
Be forwarded to outbound port after the uplink message of the coupling first kind ACL that receives at inbound port is provided with first mark, be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark;
At outbound port the uplink message that mates described isolation class ACL or described security classes ACL is transmitted.
2. message control method as claimed in claim 1 is characterized in that:
Described first mark and second is labeled as the priority among the differentiated services code points DSCP of message, perhaps, is the priority in the 802.1P protocol header of message.
3. message control method as claimed in claim 1 is characterized in that:
Described first mark and second is labeled as the value of the field that increases in heading;
Described method also comprises: before the uplink message that mates described isolation class ACL or described security classes ACL is transmitted, delete the field of the described increase in this uplink message.
4. message control method as claimed in claim 1 is characterized in that:
Described source address is the MAC Address of user terminal.
5. the message control method in the endpoint admission defense is characterized in that, comprises the steps:
Issue on the inbound port of the upstream equipment of access device and isolate class ACL and security classes ACL, the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address of permission; The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows;
On the inbound port of access device, issue first kind ACL for the user terminal that does not authenticate by safe condition, for the user terminal by the safe condition authentication issues the second type ACL, the matched rule of the described first kind ACL and the second type ACL is: whether the source address of judging uplink message is the source address that allows;
Access device is forwarded to outbound port after the uplink message of the coupling first kind ACL that receives at inbound port is provided with first mark, be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark, and the uplink message that is provided with first and second mark transmitted at outbound port;
Upstream equipment is transmitted the uplink message of the coupling that receives described isolation class ACL or described security classes ACL.
6. the access device in the endpoint admission defense is characterized in that, comprising:
The one ACL issues module, is used for issuing on outbound port isolating class ACL and security classes ACL, and the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address that allows; The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows;
The 2nd ACL issues module, be used on inbound port, issuing first kind ACL for the user terminal that does not authenticate by safe condition, for the user terminal by the safe condition authentication issues the second type ACL, the matched rule of described first kind ACL is: whether the source address of judging uplink message is the source address that allows; The matched rule of the described second type ACL is: whether the source address of judging uplink message is the source address that allows;
The 2nd ACL processing module, be used for being forwarded to outbound port after uplink message to the coupling first kind ACL that receives at inbound port is provided with first mark, be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark;
The one ACL processing module is used at outbound port the uplink message that mates described isolation class ACL or described security classes ACL being transmitted.
7. access device as claimed in claim 6 is characterized in that:
Described first mark and second is labeled as the priority among the DSCP of message, perhaps, is the priority in the 802.1P protocol header of message.
8. access device as claimed in claim 6 is characterized in that:
Described first mark and second is labeled as the value of the field that increases in heading;
A described ACL processing module also is used for, and before the uplink message that mates described isolation class ACL or described security classes ACL is transmitted, deletes the field of the described increase in this uplink message.
9. access device as claimed in claim 6 is characterized in that:
Described source address is the MAC Address of user terminal.
10. the access device in the endpoint admission defense, issued on the inbound port of the upstream equipment of described access device and isolated class ACL and security classes ACL, the matched rule of described isolation class ACL is: judge whether uplink message carries first mark, and whether the destination address of this uplink message is the destination address that allows; The matched rule of described security classes ACL is: judge whether uplink message carries second mark, and whether the destination address of this uplink message is the destination address that allows; It is characterized in that described access device comprises:
ACL issues module, be used on inbound port, issuing first kind ACL for the user terminal that does not authenticate by safe condition, for the user terminal by the safe condition authentication issues the second type ACL, the matched rule of described first kind ACL is: whether the source address of judging uplink message is the source address that allows; The matched rule of the described second type ACL is: whether the source address of judging uplink message is the source address that allows;
The ACL processing module is used for being forwarded to outbound port after uplink message to the coupling first kind ACL that receives at inbound port is provided with first mark, and the uplink message that makes described upstream equipment isolate class ACL to the coupling that receives is transmitted; And
Be forwarded to outbound port after the uplink message of the coupling second type ACL that receives at inbound port is provided with second mark, make described upstream equipment transmit the uplink message of the coupling security classes ACL that receives.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100917255A CN101631121B (en) | 2009-08-24 | 2009-08-24 | Message control method and access equipment in endpoint admission defense |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100917255A CN101631121B (en) | 2009-08-24 | 2009-08-24 | Message control method and access equipment in endpoint admission defense |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101631121A true CN101631121A (en) | 2010-01-20 |
| CN101631121B CN101631121B (en) | 2011-12-28 |
Family
ID=41576067
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100917255A Expired - Fee Related CN101631121B (en) | 2009-08-24 | 2009-08-24 | Message control method and access equipment in endpoint admission defense |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101631121B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891793A (en) * | 2011-07-20 | 2013-01-23 | 中兴通讯股份有限公司 | Ports physical isolation method and device |
| CN103220287A (en) * | 2013-04-11 | 2013-07-24 | 汉柏科技有限公司 | Method for service matching of messages by means of access control list (ACL) |
| CN111953663A (en) * | 2020-07-27 | 2020-11-17 | 新华三技术有限公司 | Method and equipment for controlling user to authenticate |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072108B (en) * | 2007-07-17 | 2011-09-28 | 杭州华三通信技术有限公司 | SSL VPN client end safety inspection method, system and device |
| CN101232509A (en) * | 2008-02-26 | 2008-07-30 | 杭州华三通信技术有限公司 | Equipment, system and method for supporting insulation mode network access control |
| CN101355557B (en) * | 2008-09-05 | 2011-06-22 | 杭州华三通信技术有限公司 | Method and system for implementing network access control in MPLS/VPN network |
-
2009
- 2009-08-24 CN CN2009100917255A patent/CN101631121B/en not_active Expired - Fee Related
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891793A (en) * | 2011-07-20 | 2013-01-23 | 中兴通讯股份有限公司 | Ports physical isolation method and device |
| CN103220287A (en) * | 2013-04-11 | 2013-07-24 | 汉柏科技有限公司 | Method for service matching of messages by means of access control list (ACL) |
| CN103220287B (en) * | 2013-04-11 | 2016-12-28 | 汉柏科技有限公司 | Utilize the method that ACL carries out business coupling to message |
| CN111953663A (en) * | 2020-07-27 | 2020-11-17 | 新华三技术有限公司 | Method and equipment for controlling user to authenticate |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101631121B (en) | 2011-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3494682B1 (en) | Security-on-demand architecture | |
| US7536715B2 (en) | Distributed firewall system and method | |
| US8490153B2 (en) | Automatically generating rules for connection security | |
| US7856016B2 (en) | Access control method, access control system, and packet communication apparatus | |
| JP4376711B2 (en) | Access management method and apparatus | |
| US7886335B1 (en) | Reconciliation of multiple sets of network access control policies | |
| US9231911B2 (en) | Per-user firewall | |
| JP5062967B2 (en) | Network access control method and system | |
| CN102047262B (en) | Authentication for distributed secure content management system | |
| US20060190997A1 (en) | Method and system for transparent in-line protection of an electronic communications network | |
| EP2213045B1 (en) | Security state aware firewall | |
| US8904514B2 (en) | Implementing a host security service by delegating enforcement to a network device | |
| US20140181842A1 (en) | Secure mobile app connection bus | |
| US9210128B2 (en) | Filtering of applications for access to an enterprise network | |
| US20130311766A1 (en) | Establishing network security using internet protocol security policies | |
| KR20080063222A (en) | Method for securing a data stream | |
| US20150030029A1 (en) | Frame Passing Based on Ethertype | |
| CN110868362B (en) | Method and device for processing MACsec uncontrolled port message | |
| CN101631121B (en) | Message control method and access equipment in endpoint admission defense | |
| CN101631078B (en) | Message control method and access equipment in endpoint admission defense | |
| RU2373656C2 (en) | Moderator for providing of contents and proofing in system of mobile communication | |
| US20080022388A1 (en) | Method and apparatus for multiple inclusion offsets for security protocols | |
| JP2012070225A (en) | Network relay device and transfer control system | |
| WO2001091418A2 (en) | Distributed firewall system and method | |
| Kumar et al. | Review On Securing Of Wireless Mesh Network From Denial Of Services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111228 Termination date: 20200824 |